diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index ca2b15930d..82c001e81f 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -11,7 +11,7 @@ } :scores { ;;:terminology 100 - :qualityscore 65 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place + :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place ;;:spelling 40 } } diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 3e1c1d1d11..f9ebdac192 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -390,7 +390,7 @@ "elizapo@microsoft.com" ], "sync_notification_subscribers": [ - "daniha@microsoft.com" + "dstrome@microsoft.com" ], "branches_to_filter": [ "" @@ -431,9 +431,9 @@ "template_folder": "_themes.pdf" } }, - "need_generate_pdf": false, - "need_generate_intellisense": false, "docs_build_engine": { "name": "docfx_v3" - } -} + }, + "need_generate_pdf": false, + "need_generate_intellisense": false +} \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e6293265fe..76f303dc00 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -84,6 +84,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", @@ -1529,6 +1534,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md", @@ -2034,6 +2044,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", @@ -2377,9 +2392,14 @@ }, { "source_path": "windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-windows-microsoft-antivirus", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -15095,6 +15115,11 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis", @@ -15562,7 +15587,7 @@ }, { "source_path": "windows/hub/release-information.md", - "redirect_url": "https://docs.microsoft.com/windows/release-information", + "redirect_url": "https://docs.microsoft.com/windows/release-health/release-information", "redirect_document_id": true }, { @@ -15654,6 +15679,11 @@ "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md", @@ -15767,12 +15797,12 @@ }, { "source_path": "windows/release-information/status-windows-10-1703.yml", - "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", + "redirect_url": "https://docs.microsoft.com/windows/release-health/windows-message-center", "redirect_document_id": true }, { "source_path": "windows/release-information/resolved-issues-windows-10-1703.yml", - "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", + "redirect_url": "https://docs.microsoft.com/windows/release-health/windows-message-center", "redirect_document_id": false }, { @@ -16210,11 +16240,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", - "redirect_document_id": true - }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -16499,6 +16524,21 @@ "source_path": "windows/hub/windows-10.yml", "redirect_url": "https://docs.microsoft.com/windows/windows-10", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-mobile-updates.md", + "redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "redirect_document_id": false } ] } diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..f66a07d2e4 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "cSpell.words": [ + "emie" + ] +} \ No newline at end of file diff --git a/bcs/docfx.json b/bcs/docfx.json index 2fa639d038..02fe77ff2d 100644 --- a/bcs/docfx.json +++ b/bcs/docfx.json @@ -36,7 +36,16 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json", - "extendBreadcrumb": true + "extendBreadcrumb": true, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 3314f77577..bae1f59877 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -28,6 +28,6 @@ ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) -## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +## [Microsoft Edge Frequently Asked Questions (FAQ)](microsoft-edge-faq.yml) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 2529a88fea..af27551fc8 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -60,7 +60,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi |New or changed topic | Description | |---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | +|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.yml) | New | ## February 2017 diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 640106062b..1ef3407e17 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -42,7 +42,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Edge" + "titleSuffix": "Edge", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "externalReference": [], "template": "op.html", diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index cdce19d2e5..d948b2c862 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -6,17 +6,17 @@ manager: dansimp ms.author: dansimp author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.localizationpriority: medium ms.topic: reference --- -# Sync browser settings +# Sync browser settings > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. ## Relevant policies @@ -38,7 +38,7 @@ You can find the Microsoft Edge Group Policy settings in the following location To verify the settings: 1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). 2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.png) ## Do not sync browser settings diff --git a/browsers/edge/images/allow-smart-screen-validation.PNG b/browsers/edge/images/allow-smart-screen-validation.png similarity index 100% rename from browsers/edge/images/allow-smart-screen-validation.PNG rename to browsers/edge/images/allow-smart-screen-validation.png diff --git a/browsers/edge/images/sync-settings.PNG b/browsers/edge/images/sync-settings.png similarity index 100% rename from browsers/edge/images/sync-settings.PNG rename to browsers/edge/images/sync-settings.png diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index c17f639024..375951a25c 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -2,7 +2,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge @@ -25,9 +25,9 @@ ms.topic: include --- -To verify Windows Defender SmartScreen is turned off (disabled): +To verify Windows Defender SmartScreen is turned off (disabled): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) +2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.png) ### ADMX info and settings @@ -40,7 +40,7 @@ To verify Windows Defender SmartScreen is turned off (disabled): #### MDM settings - **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) - **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen - **Data type:** Integer #### Registry settings diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md deleted file mode 100644 index 632905e3cb..0000000000 --- a/browsers/edge/microsoft-edge-faq.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -ms.reviewer: -audience: itpro -manager: dansimp -description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.topic: article -ms.mktglfcycl: general -ms.sitesec: library -ms.localizationpriority: medium ---- - -# Frequently Asked Questions (FAQs) for IT Pros - ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - -## How can I get the next major version of Microsoft Edge, based on Chromium? -In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). - -## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? -Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. - -For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). - -## Does Microsoft Edge work with Enterprise Mode? -[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. - -## How do I customize Microsoft Edge and related settings for my organization? -You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. - -## Is Adobe Flash supported in Microsoft Edge? -Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - -## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? -No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. - -## How often will Microsoft Edge be updated? -In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. - -## How can I provide feedback on Microsoft Edge? -Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. - -## Will Internet Explorer 11 continue to receive updates? -We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. - -## How do I find out what version of Microsoft Edge I have? -In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. - -## What is Microsoft EdgeHTML? -Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml new file mode 100644 index 0000000000..751f40f4ea --- /dev/null +++ b/browsers/edge/microsoft-edge-faq.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros + ms.reviewer: + audience: itpro + manager: dansimp + description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. + author: dansimp + ms.author: dansimp + ms.prod: edge + ms.topic: article + ms.mktglfcycl: general + ms.sitesec: library + ms.localizationpriority: medium + +title: Frequently Asked Questions (FAQ) for IT Pros +summary: | + Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + + > [!NOTE] + > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). + + +sections: + - name: Ignored + questions: + - question: How can I get the next major version of Microsoft Edge, based on Chromium? + answer: | + In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). + + - question: What's the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? + answer: | + Microsoft Edge is the default browser for all Windows 10 devices. It's built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. + + For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + + - question: Does Microsoft Edge work with Enterprise Mode? + answer: | + [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. + + - question: How do I customize Microsoft Edge and related settings for my organization? + answer: | + You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. + + - question: Is Adobe Flash supported in Microsoft Edge? + answer: | + Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we've started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. + + To learn more about Microsoft's plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + - question: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? + answer: | + No, Microsoft Edge doesn't support ActiveX controls and Browser Helper Objects (BHOs) like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support. + + - question: How often will Microsoft Edge be updated? + answer: | + In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. + + - question: How can I provide feedback on Microsoft Edge? + answer: | + Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. + + - question: Will Internet Explorer 11 continue to receive updates? + answer: | + We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. + + - question: How do I find out which version of Microsoft Edge I have? + answer: | + In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version. + + - question: What is Microsoft EdgeHTML? + answer: | + Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*). + diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index d906bfc6ce..7c44ef1c3b 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -11,7 +11,7 @@ ms.prod: edge ms.sitesec: library ms.topic: article ms.localizationpriority: medium -ms.date: 01/17/2020 +ms.date: 02/16/2021 --- # Deploy Microsoft Edge Legacy kiosk mode @@ -22,7 +22,7 @@ ms.date: 01/17/2020 > Professional, Enterprise, and Education > [!NOTE] -> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode). +> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode. diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 576a1de28f..a796135a6b 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -39,7 +39,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Internet Explorer" + "titleSuffix": "Internet Explorer", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "externalReference": [], "template": "op.html", diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index edcb50cb9e..bd0befaee9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -68,7 +68,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t ## Availability of Internet Explorer 11 -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Configuration Manager and WSUS. +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS. ## Prevent automatic installation of Internet Explorer 11 with WSUS diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md index 0257a9db03..5c29be5126 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md @@ -10,9 +10,7 @@ ms.prod: internet-explorer ms.technology: ms.topic: kb-support ms.custom: CI=111020 -ms.localizationpriority: Normal -# localization_priority: medium -# ms.translationtype: MT +ms.localizationpriority: medium ms.date: 01/23/2020 --- # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 5228341de6..6d55b1a859 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -45,7 +45,16 @@ "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/education/docfx.json b/education/docfx.json index 809a2da28f..8ba1394c6d 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -7,7 +7,8 @@ "**/**.yml" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], @@ -19,7 +20,8 @@ "**/*.svg" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 3c22125793..156feee1de 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,10 +2,10 @@ -## Week of October 19, 2020 +## Week of January 11, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 10/22/2020 | [Microsoft 365 Education Documentation for developers](/education/developers) | modified | -| 10/22/2020 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | +| 1/14/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | +| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index cbbdb3502b..3cd18bebdd 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -457,7 +457,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid X -Use Microsoft Endpoint Configuration Manager for management +Use Microsoft Endpoint Manager for management X X diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 280778ccb4..d2a18c7393 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -26,69 +26,106 @@ This guide shows you how to deploy the Windows 10 operating system in a school d Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. ->**Note**  This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). +> [!NOTE] +> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). ### Plan a typical district configuration As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. -![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. -![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> [!div class="mx-imgBorder"] +> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* This district configuration has the following characteristics: * It contains one or more admin devices. + * It contains two or more schools. + * Each school contains two or more classrooms. + * Each classroom contains one teacher device. + * The classrooms connect to each other through multiple subnets. + * All devices in each classroom connect to a single subnet. + * All devices have high-speed, persistent connections to each other and to the Internet. + * All teachers and students have access to Microsoft Store or Microsoft Store for Business. + * You install a 64-bit version of Windows 10 on the admin device. + * You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. + * You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. - >**Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + + > [!NOTE] + > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + * The devices use Azure AD in Office 365 Education for identity management. + * If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/). + * Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices. + * Each device supports a one-student-per-device or multiple-students-per-device scenario. + * The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical. + * To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot. + * The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education. Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school). ->**Note**  This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. +> [!NOTE] +> This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. Office 365 Education allows: * Students and faculty to use Microsoft Office to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. + * Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. + * Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty. + * Teachers to employ Sway to create interactive educational digital storytelling. + * Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. + * Faculty to use advanced email features like email archiving and legal hold capabilities. + * Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management. + * Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. + * Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business. + * Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. + * Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. + * Students and faculty to use Office 365 Video to manage videos. + * Students and faculty to use Yammer to collaborate through private social networking. + * Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic). @@ -105,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -114,9 +151,13 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al The configuration process requires the following devices: * **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. + * **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. + You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + * **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. + * **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: @@ -139,7 +180,8 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. -![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") +> [!div class="mx-imgBorder"] +> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -160,7 +202,7 @@ Before you select the deployment and management methods, you need to review the |Scenario feature |Cloud-centric|On-premises and cloud| |---|---|---| |Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD | -|Windows 10 deployment | MDT only | Microsoft Endpoint Configuration Manager with MDT | +|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT | |Configuration setting management | Intune | Group Policy

Intune| |App and update management | Intune |Microsoft Endpoint Configuration Manager

Intune| @@ -174,14 +216,14 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both. +* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. * You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. @@ -249,7 +291,7 @@ Select this method when you:

The disadvantages of this method are that it:

@@ -265,7 +307,7 @@ Record the deployment methods you selected in Table 3. |Selection | Deployment method| |--------- | -----------------| | |MDT by itself | -| |Microsoft Endpoint Configuration Manager and MDT| +| |Microsoft Endpoint Manager and MDT| *Table 3. Deployment methods selected* @@ -441,12 +483,12 @@ Select this method when you:

- + - + @@ -370,8 +375,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

The data type is integer. Supported operation is Get and Replace. -**Properties/SessionTimeout** -

Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. +**Properties/SessionTimeout** +

Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.

The following table shows the permitted values. @@ -385,7 +390,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

- + @@ -422,8 +427,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

The data type is integer. Supported operation is Get and Replace. -**Properties/SleepTimeout** -

Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. +**Properties/SleepTimeout** +

Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.

The following table shows the permitted values. @@ -437,7 +442,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

- + @@ -474,53 +479,54 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

The data type is integer. Supported operation is Get and Replace. -**Properties/AllowSessionResume** -

Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. +**Properties/SleepMode** +

Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. -

If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +

Valid values: + +- 0 - Connected Standby (default) +- 1 - Hibernate + +

The data type is integer. Supported operation is Get and Replace. + +**Properties/AllowSessionResume** +

Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. + +

If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.

The data type is boolean. Supported operation is Get and Replace. -**Properties/AllowAutoProxyAuth** +**Properties/AllowAutoProxyAuth**

Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. -**Properties/DisableSigninSuggestions** -

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. +**Properties/DisableSigninSuggestions** +

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.

If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.

The data type is boolean. Supported operation is Get and Replace. -**Properties/DoNotShowMyMeetingsAndFiles** +**Properties/DoNotShowMyMeetingsAndFiles**

Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.

If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.

The data type is boolean. Supported operation is Get and Replace. -**MOMAgent** +**MOMAgent**

Node for the Microsoft Operations Management Suite. -**MOMAgent/WorkspaceID** +**MOMAgent/WorkspaceID**

GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.

The data type is string. Supported operation is Get and Replace. -**MOMAgent/WorkspaceKey** +**MOMAgent/WorkspaceKey**

Primary key for authenticating with the workspace.

The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. - - - - - - - - - diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 5f3d865cbd..dc6cd495a9 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -52,7 +52,7 @@ Supported operations include Get, Add, and Delete. Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId -A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. +A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. Supported operations include Get, Add, Replace, and Delete. @@ -132,7 +132,7 @@ Returns the namespace type. This value can be one of the following: Value type is chr. Supported operation is Get. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers** -List of comma separated DNS Server IP addresses to use for the namespace. +List of comma-separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -202,7 +202,7 @@ Numeric value from 0-255 representing the IP protocol to allow. For example, TCP Value type is int. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges** -A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. +A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. > [!NOTE] > Ports are only valid when the protocol is set to TCP=6 or UDP=17. @@ -210,7 +210,7 @@ A list of comma separated values specifying local port ranges to allow. For exam Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges** -A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. +A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. > [!NOTE] > Ports are only valid when the protocol is set to TCP=6 or UDP=17. @@ -218,12 +218,12 @@ A list of comma separated values specifying remote port ranges to allow. For exa Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges** -A list of comma separated values specifying local IP address ranges to allow. +A list of comma-separated values specifying local IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges** -A list of comma separated values specifying remote IP address ranges to allow. +A list of comma-separated values specifying remote IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -241,9 +241,9 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following: - Outbound - The rule applies to all outbound traffic -- nbound - The rule applies to all inbound traffic +- Inbound - The rule applies to all inbound traffic -If no inbound filter is provided, then by default all unsolicated inbound traffic will be blocked. +If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -281,25 +281,6 @@ Valid values: Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/**ProfileName**/LockDown** (./Device only profile) -Lockdown profile. - -Valid values: - -- False (default) - this is not a LockDown profile. -- True - this is a LockDown profile. - -When the LockDown profile is turned on, it does the following things: - -- First, it automatically becomes an "always on" profile. -- Second, it can never be disconnected. -- Third, if the profile is not connected, then the user has no network. -- Fourth, no other profiles may be connected or modified. - -A Lockdown profile must be deleted before you can add, remove, or connect other profiles. - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - **VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile) Device tunnel profile. @@ -327,7 +308,7 @@ Valid values: - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. +Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -345,7 +326,10 @@ Added in Windows 10, version 1607. The XML schema for provisioning all the fiel Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/Proxy** -A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. +A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected. + +> [!NOTE] +> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used. **VPNv2/**ProfileName**/Proxy/Manual** Optional node containing the manual server settings. @@ -436,7 +420,7 @@ Required for native profiles. Public or routable IP address or DNS name for the The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. -You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -1329,4 +1313,3 @@ Servers - diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index c0e32c95b7..ee3e5cfb4c 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -31,7 +31,6 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent:: - @@ -442,4 +441,4 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent:: 16 -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 377215d1a7..6699a32617 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -125,7 +125,7 @@ The following list shows the supported values: - 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. > [!NOTE] -> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. +> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. ADMX Info: diff --git a/windows/client-management/media/image1.png b/windows/client-management/media/image1.png new file mode 100644 index 0000000000..1f6394616a Binary files /dev/null and b/windows/client-management/media/image1.png differ diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md new file mode 100644 index 0000000000..6a50151342 --- /dev/null +++ b/windows/client-management/quick-assist.md @@ -0,0 +1,121 @@ +--- +title: Use Quick Assist to help users +description: How IT Pros can use Quick Assist to help users +ms.prod: w10 +ms.sitesec: library +ms.topic: article +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +manager: laurawi +--- + +# Use Quick Assist to help users + +Quick Assist is a Windows 10 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. + +## Before you begin + +All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. + +### Authentication + +The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. + +### Network considerations + +Quick Assist communicates over port 443 (https) and connects to the Remote Assistance Service at `https://remoteassistance.support.services.microsoft.com` by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2. + +Both the helper and sharer must be able to reach these endpoints over port 443: + +| Domain/Name | Description | +|-----------------------------------|-------------------------------------------------------| +| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application | +| \*.resources.lync.com | Required for the Skype framework used by Quick Assist | +| \*.infra.lync.com | Required for the Skype framework used by Quick Assist | +| \*.latest-swx.cdn.skype.com | Required for the Skype framework used by Quick Assist | +| \*.login.microsoftonline.com | Required for logging in to the application (MSA) | +| \*.channelwebsdks.azureedge.net | Used for chat services within Quick Assist | +| \*.aria.microsoft.com | Used for accessibility features within the app | +| \*.api.support.microsoft.com | API access for Quick Assist | +| \*.vortex.data.microsoft.com | Used for diagnostic data | +| \*.channelservices.microsoft.com | Required for chat services within Quick Assist | + +## How it works + +1. Both the helper and the sharer start Quick Assist. + +2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. + +3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. + +4. The helper is prompted to select **View Only** or **Full Control**. + +5. The sharer is prompted to confirm allowing the helper to share their desktop with the helper. + +6. Quick Assist starts RDP control and connects to the RDP Relay service. + +7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. + +:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established"::: + +### Data and privacy + +Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information: + +- Start and end time of the session + +- Errors arising from Quick Assist itself, such as unexpected disconnections + +- Features used inside the app such as view only, annotation, and session pause + +No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session. + +The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days. + +In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. + +## Working with Quick Assist + +Either the support staff or a user can start a Quick Assist session. + + +1. Support staff (“helper”) starts Quick Assist in any of a few ways: + + - Type *Quick Assist* in the search box and press ENTER. + - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**. + - Type CTRL+Windows+Q + +2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. + +3. Helper shares the security code with the user over the phone or with a messaging system. + +4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. + +5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**. + +6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. + +## If Quick Assist is missing + +If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it. + +### Uninstall Quick Assist + +1. Start the Settings app, and then select **Apps**. +2. Select **Optional features**. +3. In the **Installed features** search bar, type *Quick Assist*. +4. Select **Microsoft Quick Assist**, and then select **Uninstall**. + +### Reinstall Quick Assist + +1. Start the Settings app, and then select **Apps**. +2. Select **Optional features**. +3. Select **Add a feature**. +4. In the new dialog that opens, in the **Add an optional feature** search bar, type *Quick Assist*. +5. Select the check box for **Microsoft Quick Assist**, and then select **Install**. +6. Restart the device. + +## Next steps + +If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab). diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 0bdc744338..bdb67e2528 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -1,6 +1,6 @@ --- title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device -description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer, +description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error might occur after some changes are made to the computer, ms.prod: w10 ms.mktglfcycl: ms.sitesec: library @@ -15,27 +15,27 @@ manager: dansimp # Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device -This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. +This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error might occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. ## Causes of the Inaccessible_Boot_Device Stop error -Any one of the following factors may cause the stop error: +Any one of the following factors might cause the stop error: -* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack +* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack -* File system corruption +* File system corruption -* Changes to the storage controller mode or settings in the BIOS +* Changes to the storage controller mode or settings in the BIOS -* Using a different storage controller than the one that was used when Windows was installed +* Using a different storage controller than the one that was used when Windows was installed -* Moving the hard disk to a different computer that has a different controller +* Moving the hard disk to a different computer that has a different controller -* A faulty motherboard or storage controller, or faulty hardware +* A faulty motherboard or storage controller, or faulty hardware -* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions +* In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions -* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) +* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) ## Troubleshoot this error @@ -43,9 +43,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com 1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). -2. On the **Install Windows** screen, select **Next** > **Repair your computer** . +2. On the **Install Windows** screen, select **Next** > **Repair your computer**. -3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. ### Verify that the boot disk is connected and accessible @@ -55,7 +55,7 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com A list of the physical disks that are attached to the computer should be displayed and resemble the following display: -``` +```console Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- @@ -65,7 +65,7 @@ A list of the physical disks that are attached to the computer should be display If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk () in the **GPT* column. -If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. +If the computer uses a basic input/output system (BIOS) interface, there won't be an asterisk in the **Dyn** column. #### Step 2 @@ -73,7 +73,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm `list vol` generates an output that resembles the following display: -``` +```console Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- @@ -86,7 +86,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm ``` >[!NOTE] ->If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. +>If the disk that contains the OS isn't listed in the output, you'll have to engage the OEM or virtualization manufacturer. ### Verify the integrity of Boot Configuration Database @@ -94,57 +94,57 @@ Check whether the Boot Configuration Database (BCD) has all the correct entries. To verify the BCD entries: -1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. - An example output if the computer is UEFI-based: + If the computer is UEFI-based, here's example output: - ``` + ```cmd device partition=\Device\HarddiskVolume2 path \EFI\Microsoft\Boot\bootmgfw.efi ``` - An example output if the machine is BIOS based: - ``` + If the machine is BIOS-based, here's example output: + ```cmd Device partition=C: ``` >[!NOTE] - >This output may not contain a path. + >This output might not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] - > If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension. ![bcdedit](images/screenshot1.png) -If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . +If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**. -After the backup is completed, run the following command to make the changes: +After the backup completes, run the following command to make the changes: 

bcdedit /set *{identifier}* option value
-For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:` +For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:` - If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. + If you want to completely re-create the BCD, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. -If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. +If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location, which is in the specified path in the **bcdedit** command. By default, **bootmgr** in the BIOS partition is in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. If the files are missing, and you want to rebuild the boot files, follow these steps: -1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows: +1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here: -``` -D:\> Mkdir BootBackup -R:\> Copy *.* D:\BootBackup -``` + ```cmd + D:\> Mkdir BootBackup + R:\> Copy *.* D:\BootBackup + ``` -2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: +2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here: ```cmd Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL ``` - For example: if we assign the `` (WinRE drive) the letter R and the `` is the letter D, this command would be the following: + For example, if we assign the `` (WinRE drive) the letter R and the `` is the letter D, the following is the command that we would use: ```cmd Bcdboot D:\windows /s R: /f ALL @@ -153,13 +153,13 @@ R:\> Copy *.* D:\BootBackup >[!NOTE] >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. -If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: +If you don't have a Windows 10 ISO, format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: -1. Start **Notepad** . +1. Start **Notepad**. 2. Press Ctrl+O. -3. Navigate to the system partition (in this example, it is R). +3. Navigate to the system partition (in this example, it's R). 4. Right-click the partition, and then format it. @@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates: Dism /Image:: /Get-packages ``` -After you run this command, you will see the **Install pending** and **Uninstall Pending** packages: +After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages: ![Dism output](images/pendingupdate.png) @@ -179,27 +179,27 @@ After you run this command, you will see the **Install pending** and **Uninstall ![Dism output](images/revertpending.png) -2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. +2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. -3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. +3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. 4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**. -5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive +5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive. ![Load Hive](images/loadhive.png) 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. -7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. +7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) -8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive. +8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive. 9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value. -10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. +10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it's **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. 11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key. @@ -207,7 +207,7 @@ After you run this command, you will see the **Install pending** and **Uninstall #### Check services -1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.) +1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after a Windows Update installation" section. (Step 11 doesn't apply to this procedure.) 2. Expand **Services**. @@ -225,9 +225,9 @@ After you run this command, you will see the **Install pending** and **Uninstall * VOLUME -If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**. +If these keys exist, check each one to make sure that it has a value that's named **Start**, and that it's set to **0**. If it's not, set the value to **0**. -If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: +If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: ```cmd cd OSdrive:\Windows\System32\config @@ -237,7 +237,7 @@ copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\c #### Check upper and lower filter drivers -Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: +Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they don't exist on another, similar working computer. If they do exist, remove the upper and lower filter drivers: 1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. @@ -245,8 +245,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the >[!NOTE] >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. - - The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : + + You might find these filter drivers in some of the following registry entries. These entries are under **ControlSet** and are designated as **Default**: \Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} @@ -258,19 +258,19 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the ![Registry](images/controlset.png) -If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value. +If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value. >[!NOTE] >There could be multiple entries. -The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. +These entries might affect us because there might be an entry in the **Services** branch that has a START type set to 0 or 1, which means that it's loaded at the Boot or Automatic part of the boot process. Also, either the file that's referred to is missing or corrupted, or it might be named differently than what's listed in the entry. >[!NOTE] ->If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. +>If there's a service that's set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. ### Running SFC and Chkdsk - If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt: + If the computer still doesn't start, you can try to run a **chkdisk** process on the system drive, and then also run System File Checker. To do this, run the following commands at a WinRE command prompt: * `chkdsk /f /r OsDrive:` diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index 0d4f00510a..77e524634d 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -14,27 +14,33 @@ manager: dansimp # Troubleshoot TCP/IP connectivity -You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity. +You might come across connectivity errors on the application end or timeout errors. The following are the most common scenarios: +- Application connectivity to a database server +- SQL timeout errors +- BizTalk application timeout errors +- Remote Desktop Protocol (RDP) failures +- File share access failures +- General connectivity -When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue. +When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture that could indicate a network issue. -* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released. +* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released. -* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. +* TCP reset is an abrupt closure of the session; it causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. * TCP reset is identified by the RESET flag in the TCP header set to `1`. -A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed. +A network trace on the source and the destination helps you to determine the flow of the traffic and see at what point the failure is observed. The following sections describe some of the scenarios when you will see a RESET. ## Packet drops -When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection). +When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up retransmitting the data and when there is no response received, it would end the session by sending an ACK RESET (this means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed). The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. -If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. +If the initial TCP handshake is failing because of packet drops, then you would see that the TCP SYN packet is retransmitted only three times. Source side connecting on port 445: @@ -44,7 +50,7 @@ Destination side: applying the same filter, you do not see any packets. ![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) -For the rest of the data, TCP will retransmit the packets 5 times. +For the rest of the data, TCP will retransmit the packets five times. **Source 192.168.1.62 side trace:** @@ -58,16 +64,16 @@ If you are seeing that the SYN packets are reaching the destination, but the des ## Incorrect parameter in the TCP header -You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. +You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. -In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. +In this case, you'll again need help from the network team to identify any device that's modifying packets or replaying packets to the destination. The most common ones are RiverBed devices or WAN accelerators. ## Application side reset When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset. -The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. +The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source. @@ -83,7 +89,7 @@ You also see an ACK+RST flag packet in a case when the TCP establishment packet ![Screenshot of packet flag](images/tcp-ts-11.png) -The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. +The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. >[!Note] >The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet @@ -96,7 +102,7 @@ The application which is causing the reset (identified by port numbers) should b ``` -During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet. +During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine. ``` auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable @@ -106,6 +112,6 @@ You can then review the Security event logs to see for a packet drop on a partic ![Screenshot of Event Properties](images/tcp-ts-12.png) -Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection. +Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection. ![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index 7f7855bca2..ed2dc15ba1 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -19,7 +19,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is > [!NOTE] > Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). -To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. +To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: ![Adapters](images/nm-adapters.png) diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index b50e43abae..ee292cb2a6 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. -Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). +Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). ### Use memory dump to collect data for the virtual machine that's running in a frozen state diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index d915ec9aee..e78c383c6d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -29,7 +29,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 1425bcd323..a0e470eed5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -32,7 +32,7 @@ To enable voice commands in Cortana - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). -2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. +2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. ## Test scenario: Use voice commands in a Microsoft Store app While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 14dfdcd3da..da23d57297 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -6,7 +6,7 @@ description: Cortana includes powerful configuration options specifically to opt ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: kwekua +author: dansimp ms.localizationpriority: medium ms.author: dansimp --- diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index ad794f7530..4eade94321 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -182,6 +182,11 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed 4. Save the file and apply using any of the deployment methods. +> [!NOTE] +> Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed. + + + ## Related topics diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 3cd4ad2b71..ebadfd9803 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 ms.reviewer: diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index ea2a557e39..0a784d5c01 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -32,18 +32,29 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", "feedback_system": "None", - "hideEdit": true, + "hideEdit": false, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Configure Windows" + "titleSuffix": "Configure Windows", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/configuration/images/configmgr-assets.PNG b/windows/configuration/images/configmgr-assets.PNG deleted file mode 100644 index 2cc50f5758..0000000000 Binary files a/windows/configuration/images/configmgr-assets.PNG and /dev/null differ diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 8ef07ace21..b5816befcb 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -112,7 +112,7 @@ The following table provides some examples of settings that you can configure us | Start menu customization | Start menu layout, application pinning | | Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Configuration Manager is not supported. Use the Configuration Manager console to enroll devices. +\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager is not supported. Use the Configuration Manager console to enroll devices. For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index 110c062f57..159d0b1376 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -1,7 +1,7 @@ --- title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index 1b5004453a..ae0c0dc0e4 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -1,7 +1,7 @@ --- title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 6ca0f295e0..9fb9d1704d 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -1,7 +1,7 @@ --- title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 508ec913ff..a4d2addc34 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -1,7 +1,7 @@ --- title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 169e31075f..2a85dc79f2 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -1,7 +1,7 @@ --- title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index f4ea6d2a5f..2ced4afd25 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -14,12 +14,12 @@ ms.topic: article --- -# Configuring UE-V with Microsoft Endpoint Configuration Manager +# Configuring UE-V with Microsoft Endpoint Manager **Applies to** - Windows 10, version 1607 -After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. +After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. ## UE-V Configuration Pack supported features diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 04cf9543e9..dd861cea0f 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -117,7 +117,7 @@ You can configure UE-V before, during, or after you enable the UE-V service on u Windows Server 2012 and Windows Server 2012 R2 -- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. +- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. - [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service. diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index e10d20444a..d1971558f4 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -362,7 +362,7 @@ The UE-V service synchronizes user settings for devices that are not always conn Enable this configuration using one of these methods: -- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration. +- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration. - Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration. diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 3dcf319a94..a7f9b909e9 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -36,7 +36,16 @@ "./": { "depot_name": "MSDN.windows-configure" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json index e287ca8721..58a98d4813 100644 --- a/windows/deploy/docfx.json +++ b/windows/deploy/docfx.json @@ -35,7 +35,16 @@ "depot_name": "MSDN.windows-deploy", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index fcbd35b410..29ef793b14 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -26,7 +26,7 @@ This walkthrough describes how to configure a PXE server to load Windows PE by ## Prerequisites -- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) installed. +- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) and the Windows PE add-on with ADK installed. - A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. - A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. - A file server: A server hosting a network file share. diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index e43658fdb5..71c908be85 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -24,17 +24,19 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with >* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. >* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. >* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +>* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. >[!IMPORTANT] ->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
+>An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". ## Firmware-embedded activation key -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt: -``` -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +```PowerShell +(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey ``` If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. @@ -44,19 +46,28 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: 1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: -2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 -3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -5. The admin can now assign subscription licenses to users. ->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: + - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 + - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 + +1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. + +1. The admin can now assign subscription licenses to users. + +Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click on **Subscriptions**. -3. Click on **Online Services Agreement List**. + +2. Click **Subscriptions**. + +3. Click **Online Services Agreement List**. + 4. Enter your agreement number, and then click **Search**. + 5. Click the **Service Name**. + 6. In the **Subscription Contact** section, click the name listed under **Last Name**. + 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -91,17 +102,21 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: -![profile](images/al01.png) +> [!div class="mx-imgBorder"] +> ![profile](images/al01.png) The following methods are available to assign licenses: 1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. + 2. You can sign in to portal.office.com and manually assign licenses: ![portal](images/al02.png) 3. You can assign licenses by uploading a spreadsheet. + 4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. + 5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. ## Explore the upgrade experience @@ -114,50 +129,50 @@ Users can join a Windows 10 Pro device to Azure AD the first time they start the **To join a device to Azure AD the first time the device is started** -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.

Who owns this PC? page in Windows 10 setup **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.

Choose how you'll connect - page in Windows 10 setup **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.

Let's get you signed in - page in Windows 10 setup **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** -Now the device is Azure AD joined to the company’s subscription. +Now the device is Azure AD–joined to the company’s subscription. **To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** >[!IMPORTANT] >Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.

Connect to work or school configuration **Figure 5. Connect to work or school configuration in Settings** -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.

Set up a work or school account **Figure 6. Set up a work or school account** -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.

Let's get you signed in - dialog box **Figure 7. The “Let’s get you signed in” dialog box** -Now the device is Azure AD joined to the company’s subscription. +Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation @@ -165,7 +180,7 @@ Now the device is Azure AD joined to the company’s subscription. >If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. - +
Windows 10 Pro activated
Figure 7a - Windows 10 Pro activation in Settings @@ -176,7 +191,7 @@ Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. -Sign in, Windows 10 +
Sign in, Windows 10 **Figure 8. Sign in by using Azure AD account** @@ -184,7 +199,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. - +
Windows 10 activated and subscription active **Figure 9 - Windows 10 Enterprise subscription in Settings** @@ -218,19 +233,19 @@ Use the following figures to help you troubleshoot when users experience these c - [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. - +
Windows 10 not activated and subscription active
Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - +
Windows 10 activated and subscription not active
Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. - +
Windows 10 not activated and subscription not active
Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index f73558bd91..0cea204292 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -18,8 +18,8 @@ ms.custom: seo-marvel-apr2020 # What's new in Windows 10 deployment -**Applies to** -- Windows 10 +**Applies to:** +- Windows 10 ## In this topic @@ -43,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/ ## Microsoft 365 -Microsoft 365 is a new offering from Microsoft that combines +Microsoft 365 is a new offering from Microsoft that combines - Windows 10 - Office 365 -- Enterprise Mobility and Security (EMS). +- Enterprise Mobility and Security (EMS). See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). @@ -61,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: -- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. -- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! +- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon! The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: - Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) - Reason: Replaced with separate policies for foreground and background - Max Upload Bandwidth (DOMaxUploadBandwidth) - - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. + - Reason: impacts uploads to internet peers only, which isn't used in enterprises. - Absolute max throttle (DOMaxDownloadBandwidth) - Reason: separated to foreground and background @@ -80,10 +80,10 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. - **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. @@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris ### Windows Autopilot -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices. With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. @@ -116,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19 - The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. - [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. ### Microsoft Endpoint Configuration Manager @@ -138,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to ### Upgrade Readiness -The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. +The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. +The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. For more information about Upgrade Readiness, see the following topics: @@ -164,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis ### MBR2GPT -MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. +MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. @@ -183,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). - + Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ## Testing and validation guidance ### Windows 10 deployment proof of concept (PoC) -The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. +The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. For more information, see the following guides: diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 7e1c6b9819..4b0eb20dcf 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: laurawi @@ -22,7 +22,7 @@ ms.topic: article - Windows 10 -Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use. +Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. For the purposes of this guide, we will use one server computer: CM01. - CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index a5ea3f78c2..ccb8ed6bb5 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. +description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa ms.reviewer: manager: laurawi @@ -21,7 +21,7 @@ ms.topic: article - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. This topic assumes that you have completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) @@ -51,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet. ## Procedures 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. -2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**. +2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 5. The operating system deployment will take several minutes to complete. @@ -99,4 +99,4 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 4dd8344c5b..66c81b0a5b 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). +This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). ## Prerequisites @@ -77,7 +77,7 @@ ForEach($entry in $oulist){ } ``` -Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt +Next, copy the following list of OU names and paths into a text file and save it as **C:\Setup\Scripts\oulist.txt** ```text OUName,OUPath @@ -129,7 +129,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach On **DC01**: -1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt: +1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt: ``` Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force @@ -389,4 +389,4 @@ You can create reference images for Configuration Manager in Configuration Manag [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) \ No newline at end of file +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md index 46a0b5ee09..1c8551218d 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md @@ -1,6 +1,6 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager -description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Configuration Manager task sequence. +description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Manager task sequence. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.reviewer: manager: laurawi @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process. +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Manager task sequence to completely automate the process. >[!IMPORTANT] >Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index c55b476746..f60f34e592 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -388,12 +388,12 @@ On **MDT01**: 1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. 2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. - >[!IMPORTANT] - >The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround: - >- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. - >- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). - >- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). - >- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. + > [!IMPORTANT] + > The ADK version 1903 has a [known issue](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](https://docs.microsoft.com/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: + > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. + > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). + > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). + > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 5c8972471b..2779d317f6 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -147,7 +147,7 @@ On **MDT01**: 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**. -![acroread](../images/acroread.png) +![acroread image](../images/acroread.png) The Adobe Reader application added to the Deployment Workbench. @@ -267,7 +267,7 @@ On **MDT01**: For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -![ThinkStation](../images/thinkstation.png) +![ThinkStation image](../images/thinkstation.png) To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). @@ -361,6 +361,9 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh ### Configure the rules +> [!NOTE] +> The following instructions assume the device is online. If you're offline you can remove SLShare variable. + On **MDT01**: 1. Right-click the **MDT Production** deployment share and select **Properties**. @@ -533,7 +536,7 @@ On **MDT01**: 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi). 2. Install DaRT 10 (MSDaRT10.msi) using the default settings. - ![DaRT](../images/dart.png) + ![DaRT image](../images/dart.png) 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. @@ -604,13 +607,13 @@ On **HV01**: 2. Installs the added application. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. -![pc0005](../images/pc0005-vm.png) +![pc0005 image1](../images/pc0005-vm.png) ### Application installation Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically. - ![pc0005](../images/pc0005-vm-office.png) + ![pc0005 image2](../images/pc0005-vm-office.png) ### Use the MDT monitoring feature @@ -731,7 +734,7 @@ On **MDT01**: The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] ->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. This means you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. +>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. Follow these steps to create a bootable USB stick from the offline media content: diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 52246fddfd..e2da8e687d 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -53,7 +53,7 @@ Several client computers are referenced in this guide with hostnames of PC0001 t ### Storage requirements -MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive. +MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. ### Hyper-V requirements @@ -81,7 +81,7 @@ The following OU structure is used in this guide. Instructions are provided [bel These steps assume that you have the MDT01 member server running and configured as a domain member server. -On **MTD01**: +On **MDT01**: Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) @@ -256,7 +256,7 @@ When you have completed all the steps in this section to prepare for deployment, **Sample files** -The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell. +The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. - [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. \ No newline at end of file +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index ecf21c9ffc..bb85dc9972 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -31,7 +31,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). | |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | -|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | +|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | |[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index d90a888be9..cecc2b30b5 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -35,6 +35,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", @@ -48,7 +49,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Deployment" + "titleSuffix": "Windows Deployment", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/deployment/images/mbr2gpt-volume.PNG b/windows/deployment/images/mbr2gpt-volume.png similarity index 100% rename from windows/deployment/images/mbr2gpt-volume.PNG rename to windows/deployment/images/mbr2gpt-volume.png diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 4551b08e4a..7324318c18 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -10,7 +10,7 @@ audience: itpro author: greg-lindsay ms.author: greglin ms.date: 02/13/2018 -ms.reviewer: +ms.reviewer: manager: laurawi ms.audience: itpro ms.localizationpriority: medium @@ -23,7 +23,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. >MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. >The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. @@ -32,7 +32,7 @@ See the following video for a detailed description and demonstration of MBR2GPT. -You can use MBR2GPT to: +You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. - Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. @@ -96,11 +96,11 @@ MBR2GPT: Validation completed successfully In the following example: 1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. -2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 2. The MBR2GPT tool is used to convert disk 0. 3. The DiskPart tool displays that disk 0 is now using the GPT format. 4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. >As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. @@ -272,7 +272,7 @@ For more information about partition types, see: ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: @@ -299,7 +299,7 @@ The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, type **mbr2gpt /?** +To view a list of options available when using the tool, type **mbr2gpt /?** The following text is displayed: @@ -376,7 +376,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: -![Volumes](images/mbr2gpt-volume.PNG) +![Volumes](images/mbr2gpt-volume.png) If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: @@ -400,7 +400,7 @@ DISKPART> list disk In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. -## Known issue +## Known issue ### MBR2GPT.exe cannot run in Windows PE @@ -410,7 +410,7 @@ When you start a Windows 10, version 1903-based computer in the Windows Preinsta **Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. +**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. #### Cause @@ -425,10 +425,10 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from 2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: - + > [!NOTE] > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit. - + **Command 1:** ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" @@ -438,20 +438,20 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from * ReAgent.admx * ReAgent.dll * ReAgent.xml - + **Command 2:** ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" - ``` + ``` This command copies two files: * ReAgent.adml * ReAgent.dll.mui > [!NOTE] > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. - + 3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). - + ## Related topics diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index 9469d47cb7..2b515fbbd0 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -42,4 +42,4 @@ The following terms can be used to describe the status that might be assigned to ## Also see -[Windows 10 release information](https://docs.microsoft.com/windows/release-information/) +[Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information) diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 8ab327afb4..99acb38299 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -56,7 +56,7 @@ The following scenarios are examples of situations in which Windows To Go worksp - **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. +- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 18d1d96008..2012a23148 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -28,7 +28,6 @@ The features described below are no longer being actively developed, and might b | ----------- | --------------------- | ---- | | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | -| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | @@ -60,7 +59,7 @@ The features described below are no longer being actively developed, and might b |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 | |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 | |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 | -|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | +|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | |Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index 546b8de3af..b48649cf32 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -64,7 +64,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. - [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. -- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. ### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 7ca82acf70..ccc6b27193 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -40,7 +40,7 @@ The latest version of the Microsoft Deployment Toolkit (MDT) is available for do For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10). -For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +For more details about Microsoft Endpoint Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Management tools diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 9223db8e03..ea76222dde 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -58,4 +58,4 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) - [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) - [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) -- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index 202b4531b9..1706180e52 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -17,4 +17,4 @@ ms.topic: article - Windows 10 -See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file +See the Microsoft Endpoint Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index a36563477b..5c4c8987f1 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,6 +1,6 @@ --- title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices -description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. ms.prod: w10 ms.mktglfcycl: manage audience: itpro @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to**: Windows 10 -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service). @@ -31,10 +31,10 @@ Devices and shared workstations that are online and available 24 hours a day, 7 You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. - **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. -If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates. +If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates. Use the following information: diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index 93b16449ff..4816c7e26e 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -28,19 +28,19 @@ version of the software. ## Types of updates -We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*. +We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. - **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. - **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). -- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. -- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. +- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. +- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. ## Servicing channels -Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service" which conceives of deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. +Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. @@ -54,7 +54,7 @@ In the Semi-annual Channel, feature updates are available as soon as Microsoft r ### Windows Insider Program for Business -Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: +Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: - Windows Insider Fast - Windows Insider Slow @@ -65,7 +65,7 @@ We recommend that you use the Windows Insider Release Preview channel for valida ### Long-term Servicing Channel -The **Long Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. @@ -85,7 +85,7 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi Windows Server Update Services (WSUS): you set up a WSUS server, which downloads updates in bulk from Microsoft. Your individual devices then connect to your server to install their updates from there. -You can set up, control, and manage the server and update process with a number of tools: +You can set up, control, and manage the server and update process with several tools: - A standalone Windows Server Update Services server operated directly - [Configuration Manager](deploy-updates-configmgr.md) @@ -95,7 +95,7 @@ For more information, see [Windows Server Update Services (WSUS)](https://docs.m ### Tools for cloud-based update delivery -Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of a number of tools: +Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of several tools: - [Group Policy Management Console](waas-wufb-group-policy.md) (Gpmc.msc) - [Microsoft Intune](waas-wufb-intune.md) diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 6bab8477a5..44bbae9ebf 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -28,7 +28,7 @@ The Windows Update workflow has four core areas of functionality: ### Download -1. Orchestrator initiates downloads. +1. Orchestrator starts downloads. 2. Windows Update downloads manifest files and provides them to the arbiter. 3. The arbiter evaluates the manifest and tells the Windows Update client to download files. 4. Windows Update client downloads files in a temporary folder. @@ -36,54 +36,54 @@ The Windows Update workflow has four core areas of functionality: ### Install -1. Orchestrator initiates the installation. +1. Orchestrator starts the installation. 2. The arbiter calls the installer to install the package. ### Commit -1. Orchestrator initiates a restart. +1. Orchestrator starts a restart. 2. The arbiter finalizes before the restart. ## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn't disrupt your computer usage. +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. ## Scanning updates ![Windows Update scanning step](images/update-scan-step.png) The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. Make sure you're familiar with the following terminology related to Windows Update scan: |Term|Definition| |----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.| |Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| |Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. | |Full scan|Scan with empty datastore.| |Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | +|Online scan|Scan that uses the network and to check an update server. | +|Offline scan|Scan that doesn't use the network and instead checks the local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.| +|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.| +|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).| +|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.| +|ProductSync|A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud. | ### How Windows Update scanning works -Windows Update takes the following sets of actions when it runs a scan. +Windows Update does the following actions when it runs a scan. #### Starts the scan for updates When users start scanning in Windows Update through the Settings panel, the following occurs: -- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the WU engine to scan for updates. +- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. - "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. - Windows Update uses the thread ID filtering to concentrate on one particular task. ![Windows Update scan log 1](images/update-scan-log-1.png) @@ -91,20 +91,19 @@ When users start scanning in Windows Update through the Settings panel, the foll #### Identifies service IDs - Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. ![Windows Update scan log 2](images/update-scan-log-2.png) - Common service IDs > [!IMPORTANT] - > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service. |Service|ServiceId| |-------|---------| -|Unspecified / Default|WU, MU or WSUS
00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Unspecified / Default|WU, MU, or WSUS
00000000-0000-0000-0000-000000000000 | +|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| +|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| |OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| |WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | @@ -115,33 +114,33 @@ Common update failure is caused due to network issues. To find the root of the i - Look for "ProtocolTalker" messages to see client-server sync network traffic. - "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. +- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting. > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager. + > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. -- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured. +- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured. ![Windows Update scan log 3](images/update-scan-log-3.png) ## Downloading updates ![Windows Update download step](images/update-download-step.png) -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device. -To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization technology which downloads updates and reduces bandwidth consumption. +To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption. -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). +For more information, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). ## Installing updates ![Windows Update install step](images/update-install-step.png) When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. +The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. ## Committing Updates ![Windows Update commit step](images/update-commit-step.png) -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. -For more information see [Manage device restarts after updates](waas-restart.md). +For more information, see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 6c8417f572..8a080c9bcd 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -38,7 +38,6 @@ Windows as a service provides a new way to think about building, deploying, and | [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | -| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | @@ -47,6 +46,6 @@ Windows as a service provides a new way to think about building, deploying, and | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. +>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. >With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 6c713170eb..8997b5e4f9 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -22,7 +22,7 @@ Windows Insider Lab for Enterprise is intended for Windows Insiders who want to As an Olympia user, you will have an opportunity to: -- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). - Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. - Validate and test pre-release software in your environment. - Provide feedback. diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index fc033d13bd..bb67966504 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -24,7 +24,7 @@ Though we encourage you to deploy every available release and maintain a fast ca You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. ### Annual -Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles: +Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: [ ![Calendar showing an annual update cadence](images/annual-calendar.png) ](images/annual-calendar.png#lightbox) diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index 53b1f289ec..19c0a83aa5 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -41,13 +41,13 @@ Your infrastructure probably includes many different components and tools. You You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example: -- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security related configurations. +- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security-related configurations. - Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to. However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example: -1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. +1. Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. 2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant. @@ -98,7 +98,24 @@ You can check these services manually by using Services.msc, or by using PowerSh ### Network configuration -Ensure that devices can reach necessary Windows Update endpoints through the firewall. +Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints: + + +|Protocol |Endpoint URL | +|---------|---------| +|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` | +|HTTP | `emdl.ws.microsoft.com` | +|HTTP | `*.dl.delivery.mp.microsoft.com` | +|HTTP | `*.windowsupdate.com` | +|HTTPS | `*.delivery.mp.microsoft.com` | +|TLS 1.2 | `*.update.microsoft.com` | +|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` | + +> [!NOTE] +> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. + +The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. + ### Optimize download bandwidth Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network sharing or Microsoft Connected Cache. diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 8911262e12..b96d2edfd6 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -22,7 +22,7 @@ There are a number of requirements to consider when manually configuring devices The requirements are separated into different categories: 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. -2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. +2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints. 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. 4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected. @@ -34,7 +34,7 @@ The requirements are separated into different categories: Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: - **Policy** corresponds to the location and name of the policy. -- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional). +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional). - **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. ### Mobile Device Management policies @@ -44,8 +44,8 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e | Policy | Value | Function | |---------------------------|-|------------------------------------------------------------| |**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | -|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | -|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | +|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | > [!NOTE] @@ -58,8 +58,8 @@ All Group Policies that need to be configured for Update Compliance are under ** | Policy | Value | Function | |---------------------------|-|-----------------------------------------------------------| |**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. | -|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines. See the following policy for more information. | -|**Configure telemetry opt-in setting user interface** | 1 - Disable telemetry opt-in Settings |(in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | +|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. | +|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | ## Required endpoints @@ -72,9 +72,9 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | | `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | | `http://adl.windows.com` | Required for Windows Update functionality. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | -| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). | +| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | ## Required services @@ -83,7 +83,7 @@ Many Windows and Microsoft services are required to ensure that not only the dev ## Run a full Census sync -Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. +Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this behavior, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script will do a full sync. A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md index 2ddf505e62..52147e7fab 100644 --- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -26,7 +26,7 @@ WaaSInsiderStatus records contain device-centric data and acts as the device rec |**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | |**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | |**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | -|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-health/release-information). | |**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | |**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | |**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. | diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md index 0b5adb4096..72389ab819 100644 --- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -33,7 +33,7 @@ WaaSUpdateStatus records contain device-centric data and acts as the device reco |**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | |**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | |**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | -|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-health/release-information). | |**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | |**OSCurrentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Current` |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. | |**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index f85076eabc..076590a90f 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. @@ -59,7 +59,6 @@ In addition to these steps, there is one requirement for WSUS to be able to use - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 68b9bc63f3..319ff18112 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -30,7 +30,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). -Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). +Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic. ## Start by grouping devices @@ -267,7 +267,6 @@ When a device running a newer version sees an update available on Windows Update - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index a50997dbcc..a9ec6583a1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled). Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. @@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b - DOMaxUploadBandwidth - Support for new types of downloads: - - Office installations and updates + - Office installs and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - + - Edge browser installs and updates + - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) ## Requirements @@ -90,7 +91,9 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | Xbox game pass games | 2004 | | MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | +| Edge browser installs and updates | 1809 | +| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). @@ -250,7 +253,6 @@ If you suspect this is the problem, check Delivery Optimization settings that co - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 5888c1f3a1..8d11c16e25 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -60,8 +60,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is ## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Update Windows 10 in the enterprise](index.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index f473a704b2..b3fdbbb2d8 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -101,8 +101,7 @@ For more information, see [Integration with Windows Update for Business in Windo - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 9f7d882387..17a39a185f 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -24,7 +24,7 @@ ms.topic: article >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides. +WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. @@ -350,8 +350,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index d1f41bc2bd..5a410e9d8c 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -27,7 +27,7 @@ Windows Update for Business is a free service that is available for all premium Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. +Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization. ## What can I do with Windows Update for Business? @@ -47,9 +47,9 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: - **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. -- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. -- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. -- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. +- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies. ## Offering @@ -65,13 +65,13 @@ The branch readiness level enables administrators to specify which channel of fe - Windows Insider Fast - Windows Insider Slow - Windows Insider Release Preview -- Semi-annual Channel +- Semi-Annual Channel -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. #### Defer an update -A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy. |Category |Maximum deferral period | @@ -88,10 +88,10 @@ A Windows Update for Business administrator can defer the installation of both f If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. -To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). +To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). -Built in benefits: -When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. +Built-in benefits: +When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. ### Recommendations @@ -104,13 +104,13 @@ For the best experience with Windows Update, follow these guidelines: ### Manage the end-user experience when receiving Windows Updates -Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience. #### Recommended experience settings Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: -1. Automatically download, install and restart (default if no restart policies are set up or enabled) +1. Automatically download, install, and restart (default if no restart policies are set up or enabled) 2. Use the default notifications 3. Set update deadlines @@ -118,7 +118,7 @@ Features like the smart busy check (which ensure updates don't happen when a use A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. -This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. #### Update Baseline The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. @@ -186,9 +186,9 @@ The branch readiness level enables administrators to specify which channel of fe - Windows Insider Fast - Windows Insider Slow - Windows Insider Release Preview -- Semi-annual Channel for released updates + - Semi-Annual Channel for released updates -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release's Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days will be calculated against a release's Semi-Annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. ### Recommendations diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md deleted file mode 100644 index abb64e0561..0000000000 --- a/windows/deployment/update/waas-mobile-updates.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Deploy updates to Windows 10 Mobile or Windows 10 IoT Mobile -description: Deploy updates to devices in your organization that are running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile. -ms.prod: w10 -ms.mktglfcycl: manage -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile - - -**Applies to** - -- Windows 10 Mobile -- [Windows 10 IoT Mobile](https://www.microsoft.com/WindowsForBusiness/windows-iot) - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!TIP] ->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first. - -Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual Channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program). - -[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades) - - - -| Windows 10 edition | Semi-annual Channel | Insider Program | -| --- | --- | --- | --- | -| Mobile | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | -| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | - - - -Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to quality updates only. That is, Windows Mobile feature updates are categorized the same as quality updates, and can only be deferred by setting the quality update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile. - - -## Windows 10, version 1607 - -Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: - -- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel -- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays -- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates - - - - - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - - diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 1e0f4be7b7..6c8a01e901 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -24,7 +24,7 @@ When considering your content distribution strategy for Windows 10, think about Two methods of peer-to-peer content distribution are available in Windows 10. -- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. +- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. @@ -33,9 +33,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. - Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. + Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. -

+

| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | | --- | --- | --- | --- | --- | @@ -43,9 +43,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | > [!NOTE] -> Microsoft Endpoint Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache). +> Microsoft Endpoint Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache). > -> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). +> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery @@ -93,13 +93,12 @@ At this point, the download is complete and the update is ready to be installed. | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Update Windows 10 in the enterprise](index.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index a656c096f6..eee777b2ac 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -18,7 +18,6 @@ ms.topic: article **Applies to** - Windows 10 -- Windows 10 IoT Mobile > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -46,7 +45,7 @@ Application compatibility testing has historically been a burden when approachin Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). +For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). ### Device compatibility @@ -67,7 +66,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha There are currently two release channels for Windows 10: - The **Semi-Annual Channel** receives feature updates twice per year. -- The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. +- The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. >[!IMPORTANT] >With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. The "Semi-Annual Channel (Targeted)" designation is no longer used. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). @@ -101,7 +100,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. -With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/). +With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long-Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information). The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools). @@ -129,7 +128,7 @@ Organizations are expected to initiate targeted deployment on Semi-Annual Channe Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools. > [!NOTE] -> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. +> Windows 10 Enterprise LTSB is a separate Long-Term Servicing Channel version. > > Long-term Servicing channel is not intended for deployment on most or all the devices in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel. @@ -165,7 +164,7 @@ There are many tools with which IT pros can service Windows as a service. Each o - **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. - **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. -With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. +With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. **Table 1** @@ -197,8 +196,7 @@ With all these options, which an organization chooses depends on the resources, ## Related topics - [Update Windows 10 in the enterprise](index.md) -- [Quick guide to Windows as a service](waas-quick-start.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Quick guide to Windows as a service](waas-quick-start.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 7e0bf21538..4a021b02f7 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -24,12 +24,12 @@ Windows as a service is a new concept, introduced with the release of Windows 10 ## Definitions Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** are released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. +- **Feature updates** are released twice per year, around March and September. As the name suggests, these updates add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). -- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. +- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - The **Semi-Annual Channel** receives feature updates twice per year. - - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. + - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. @@ -42,19 +42,19 @@ Windows 10 gains new functionality with twice-per-year feature update releases. All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle. -Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. +Windows 10 Enterprise LTSB is a separate **Long-Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. -See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information. +For more information, see [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md). ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help. Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. -This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. +This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles. -Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. +Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information. @@ -67,8 +67,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window ## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Update Windows 10 in the enterprise](index.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 4f59f66eec..4094472fa0 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -1,6 +1,6 @@ --- title: Manage device restarts after updates (Windows 10) -description: Use Group Policy settings, mobile device management (MDM) or Registry to configure when devices will restart after a Windows 10 update is installed. +description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed. ms.prod: w10 ms.mktglfcycl: deploy author: jaimeo @@ -23,7 +23,7 @@ ms.custom: > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. +You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation @@ -77,11 +77,12 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.mi ### Configuring active hours through Registry -This method is not recommended, and should only be used when neither Group Policy or MDM are available. +This method is not recommended, and should only be used when you can't use Group Policy or MDM. Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above. -You should set a combination of the following registry values, in order to configure active hours. -Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours. +Configure active hours by setting a combination of the following registry values: + +Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart** and **ActiveHoursEnd** to specify the range of active hours. For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). @@ -100,7 +101,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan ## Limit restart delays -After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. +After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14. ## Control restart notifications @@ -137,7 +138,7 @@ In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarnin ### Engaged restart -Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts. +Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts. The following settings can be adjusted for engaged restart: * Period of time before auto-restart transitions to engaged restart. @@ -183,23 +184,22 @@ The following tables list registry values that correspond to the Group Policy se | Registry key | Key type | Value | | --- | --- | --- | -| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at ascheduled time | +| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at a scheduled time | | AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | | AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates
3: automatically download and notify for installation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | -| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | +| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | -There are 3 different registry combinations for controlling restart behavior: +There are three different registry combinations for controlling restart behavior: - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. -- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. +- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. - To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. -## Related topics +## Related articles - [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 24625947f6..173deccbea 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -1,6 +1,6 @@ --- title: Assign devices to servicing channels for Windows 10 updates (Windows 10) -description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM . +description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM ms.prod: w10 ms.mktglfcycl: deploy author: jaimeo @@ -28,7 +28,7 @@ ms.custom: > >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. -The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. +The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except devices with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. | Windows 10 edition | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program | | --- | --- | --- | --- | @@ -63,7 +63,7 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to the Semi-Annual Channel -**To assign devices to to the Semi-Annual Channel by using MDM** +**To assign devices to the Semi-Annual Channel by using MDM** - In Windows 10, version 1607 and later releases: @@ -79,10 +79,10 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi ## Enroll devices in the Windows Insider Program -To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: +To get started with the Windows Insider Program for Business, you will need to follow a few steps: 1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. +2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. 3. Make sure the **Allow Telemetry** setting is set to **2** or higher. 4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery: @@ -90,7 +90,7 @@ The **Manage preview builds** setting gives administrators control over enabling * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* * MDM: **Update/ManagePreviewBuilds** -The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates. +The **Branch Readiness Level** settings allow you to choose between preview flight rings, and allows you to defer or pause the delivery of updates. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* * MDM: **Update/BranchReadinessLevel** @@ -164,7 +164,7 @@ During the life of a device, it might be necessary or desirable to switch betwee In Windows 10, administrators can control user access to Windows Update. -Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features** . Any background update scans, downloads and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so. +Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**. Any background update scans, downloads, and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so. >[!NOTE] > Starting with Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported. @@ -182,8 +182,7 @@ Administrators can disable the "Check for updates" option for users by enabling ## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Update Windows 10 in the enterprise](index.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index e185b2eb5a..d06e1da91b 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -87,7 +87,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month's B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month's B release package together with new security updates. Security-only Packages are not part of the C/D preview program. > [!NOTE] -> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10. +> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Manager that rely on it, will not see preview updates for older versions of Windows 10. > [!NOTE] > Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates. diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index e4dd1ed582..1edbd81af3 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -22,30 +22,30 @@ ms.collection: m365initiative-coredeploy > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. +In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. ![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png) Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: -- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-Annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. -- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). -- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). +- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group policies from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) +- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). +- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). > [!NOTE] > This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). > -> Windows 10 Enterprise LTSC is a separate Long Term Servicing Channel version. +> Windows 10 Enterprise LTSC is a separate Long-Term Servicing Channel version. Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: 1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility. -2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. -3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department. +2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. +3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. ## Steps to manage updates for Windows 10 @@ -62,8 +62,7 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou ## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Update Windows 10 in the enterprise](index.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 9e013f0b94..5240b3cf66 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -252,7 +252,6 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ - [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index d7a01438ab..07f5fbcc98 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -105,7 +105,7 @@ Now all devices are paused from updating for 35 days. When the pause is removed, #### I want to stay on a specific version -If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](https://docs.microsoft.com/windows/release-information/). +If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](https://docs.microsoft.com/windows/release-health/release-information). ### Manage how users experience updates @@ -205,8 +205,7 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 5c22b5cd47..22086a9521 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -203,7 +203,6 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 412541f1fd..84f56c8131 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -275,8 +275,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 11dff0bce0..0cad11e031 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -7,7 +7,6 @@ audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article @@ -23,18 +22,18 @@ The following table provides information about common errors you might run into | Error Code | Message | Description | Mitigation | |------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


Additionally , you can take a network trace and see what is timing out. \ | +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | | 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | | 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | | 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | | 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | | 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | | 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 1e40aac62e..37dcc627f0 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,13 +1,12 @@ --- title: Windows Update log files -description: Learn about the Windows Update log files and how to merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file. +description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file. ms.prod: w10 ms.mktglfcycl: audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article @@ -21,21 +20,21 @@ ms.custom: seo-marvel-apr2020 The following table describes the log files created by Windows Update. -|Log file|Location|Description|When to Use | +|Log file|Location|Description|When to use | |-|-|-|-| -|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| -|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. | -|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | -|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by NotificationUxBroker.exe. |When you want to check whether the notification was triggered or not. | +|CBS.log|%systemroot%\Logs\CBS|This log provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to Windows Update installation.| ## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru). +To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru). >[!NOTE] ->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again. ### Windows Update log components -The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: +The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: - AGENT- Windows Update agent - AU - Automatic Updates is performing this task @@ -93,12 +92,12 @@ The time stamp indicates the time at which the logging occurs. The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. - The first four hex digits are the process ID. - The next four hex digits are the thread ID. -- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. +- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID. ![Windows Update process and thread IDs](images/update-process-id.png) #### Component name -Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: +Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows: - ProtocolTalker - Client-server sync - DownloadManager - Creates and monitors payload downloads @@ -114,7 +113,7 @@ Search for and identify the components that are associated with the IDs. Differe ##### Update ID and revision number There are different identifiers for the same update in different contexts. It's important to know the identifier schemes. -- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Update ID: A GUID (indicated in the previous screenshot) that's assigned to a given update at publication time - Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service - Revision numbers are reused from one update to another (not a unique identifier). - The update ID and revision number are often shown together as "{GUID}.revision." @@ -122,15 +121,15 @@ There are different identifiers for the same update in different contexts. It's ##### Revision ID -- A Revision ID (do no confuse this with "revision number") is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- A Revision ID (don't confuse this value with "revision number") is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that is not related to the previous ID. - Revision IDs are unique on a given update source, but not across multiple sources. -- The same update revision may have completely different revision IDs on WU and WSUS. -- The same revision ID may represent different updates on WU and WSUS. +- The same update revision might have different revision IDs on Windows Update and WSUS. +- The same revision ID might represent different updates on Windows Update and WSUS. ##### Local ID -- Local ID is a serial number issued when an update is received from a service by a given WU client -- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Local ID is a serial number issued when an update is received from a service by a given Windows Update client +- Typically seen in debug logs, especially involving the local cache for update info (Datastore) - Different client PCs will assign different Local IDs to the same update - You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index bce6aa30cb..92db02e305 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -21,7 +21,7 @@ If you run into problems when using Windows Update, start with the following ste 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: @@ -41,8 +41,8 @@ Advanced users can also refer to the [log](windows-update-logs.md) generated by You might encounter the following scenarios when using Windows Update. -## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following: +## Why am I offered an older update? +The update that is offered to a device depends on several factors. The following are some of the most common attributes: - OS Build - OS Branch @@ -50,20 +50,20 @@ The update that is offered to a device depends on several factors. Some of the m - OS Architecture - Device update management configuration -If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a deployment group, that your admin is intentionally slowing the rollout of updates. Since the deployment is slow and measured to begin with, all devices will not receive the update on the same day. ## My device is frozen at scan. Why? -The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +The Settings UI communicates with the Update Orchestrator service that in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps: 1. Close the Settings app and reopen it. -2. Launch Services.msc and check if the following services are running: +2. Start Services.msc and check if the following services are running: - Update State Orchestrator - Windows Update ## Feature updates are not being offered while other updates are -Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business scenarios) are able to install servicing and definition updates but are never offered feature updates. +Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business) are able to install servicing and definition updates but are never offered feature updates. Checking the WindowsUpdate.log reveals the following error: ```console @@ -95,12 +95,12 @@ The 0x80070426 error code translates to: ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. ``` -Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on MSA to get the global device ID for the device. Without the MSA service running, the global device ID won't be generated and sent by the client and the search for feature updates never completes successfully. -In order to solve this issue, we need to reset the MSA service to the default StartType of manual. +To resolve this issue, reset the MSA service to the default StartType of "manual." ## Issues related to HTTP/Proxy -Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Therefore proxy servers on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. To fix this issue, configure a proxy in WinHTTP by using the following netsh command: @@ -113,14 +113,13 @@ netsh winhttp set proxy ProxyServerName:PortNumber If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. -You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: +You might choose to apply a rule to permit HTTP RANGE requests for the following URLs: -*.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com -*.delivery.mp.microsoft.com -*.emdl.ws.microsoft.com +`*.download.windowsupdate.com` +`*.dl.delivery.mp.microsoft.com` +`*.delivery.mp.microsoft.com` -If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). +If you can't allow RANGE requests, you'll be downloading more content than needed in updates (as delta patching will not work). ## The update is not applicable to your computer @@ -128,13 +127,13 @@ The most common reasons for this error are described in the following table: |Cause|Explanation|Resolution| |-----|-----------|----------| -|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you might receive this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | |Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| |Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
get-hotfix KB3173424,KB2919355,KB2919442
If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
To determine if these prerequisite updates are installed, run the following PowerShell command:
`get-hotfix KB3173424,KB2919355, KB2919442`.
If the updates are installed, the command will return the installed date in the `InstalledOn` section of the output. ## Issues related to firewall configuration -Error that may be seen in the WU logs: +Error that you might see in Windows Update logs: ```console DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. ``` @@ -150,40 +149,41 @@ DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). ## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. +Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors. -See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. +For more information, see [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. ## Device cannot access update files -Check that your device can access these Windows Update endpoints: -- `http://windowsupdate.microsoft.com` -- `http://*.windowsupdate.microsoft.com` -- `https://*.windowsupdate.microsoft.com` -- `http://*.update.microsoft.com` -- `https://*.update.microsoft.com` -- `http://*.windowsupdate.com` -- `http://download.windowsupdate.com` -- `https://download.microsoft.com` -- `http://*.download.windowsupdate.com` -- `http://wustat.windows.com` -- `http://ntservicepack.microsoft.com` -- `https://*.prod.do.dsp.mp.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` -- `https://*.delivery.mp.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - - Allow these endpoints for future use. +Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints: + + +|Protocol |Endpoint URL | +|---------|---------| +|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` | +|HTTP | `emdl.ws.microsoft.com` | +|HTTP | `*.dl.delivery.mp.microsoft.com` | +|HTTP | `*.windowsupdate.com` | +|HTTPS | `*.delivery.mp.microsoft.com` | +|TLS 1.2 | `*.update.microsoft.com` | +|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` | + +> [!NOTE] +> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. + +The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. + ## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: + 1. Start Windows PowerShell as an administrator. 2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". 3. Run \$MUSM.Services. Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. -|Output|Interpretation| +|Output|Meaning| |-|-| |- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | |- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. | @@ -192,14 +192,14 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can |- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| ## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: +In this example, per the Group Policy set through registry, the system is configured to use WSUS to download updates (note the second line): ```console HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +"UseWUServer"=dword:00000001 ``` -From the WU logs: +From Windows Update logs: ```console 2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] 2018-08-06 09:33:31:085 480 1118 Agent ********* @@ -213,9 +213,9 @@ From the WU logs: 2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] ``` -In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. +In the above log snippet, we see that the `Criteria = "IsHidden = 0 AND DeploymentAction=*"`. "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. +As shown in the following logs, automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration. ```console 2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] @@ -231,15 +231,15 @@ Now if you look at the below logs, the Automatic update runs the scan and finds ``` ## High bandwidth usage on Windows 10 by Windows Update -Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. +Users might see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components. -The following group policies can help mitigate this: +The following group policies can help mitigate this situation: - Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](https://gpsearch.azurewebsites.net/#4728) (Set to enabled) - Driver search: [Policy Specify search order for device driver source locations](https://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") - Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](https://gpsearch.azurewebsites.net/#10876) (Set to enabled) -Other components that reach out to the internet: +Other components that connect to the internet: - Windows Spotlight: [Policy Configure Windows spotlight on lock screen](https://gpsearch.azurewebsites.net/#13362) (Set to disabled) - Consumer experiences: [Policy Turn off Microsoft consumer experiences](https://gpsearch.azurewebsites.net/#13329) (Set to enabled) diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index 0fc1330492..055d3b723c 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -25,7 +25,7 @@ Automatic Update governs the "behind the scenes" download and installation proce |-|-| |Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/configmgr/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| |Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Manager users who want to install custom packages that are not offered through Windows Update.| |Do not connect to any Windows Update Internet locations
Required for Dual Scan|Prevents access to Windows Update.| ## Suggested configuration diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index 56f956aae8..e0a6e9e21f 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -39,7 +39,7 @@ You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and u |Policy| Description | |-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Manager customers who want to install custom packages that are not offered through Windows Update.| ### Suggested configuration diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index e2806e3c0c..033f0e0e0d 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -93,7 +93,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported `changepk.exe /ProductKey ` -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/windows-server/get-started/kmsclientkeys). For example, the following command will upgrade to Windows 10 Enterprise. `Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 37da456194..ca70223a2c 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -30,7 +30,7 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi > > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. > -> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. +> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. > > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. > diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index bc307dfc3a..e7ec8ac329 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -32,25 +32,28 @@ Deployment instructions are provided for the following scenarios: - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. - VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). ## Activation ### Scenario 1 + - The VM is running Windows 10, version 1803 or later. - The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 + - The Hyper-V host and the VM are both running Windows 10, version 1803 or later. [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. ### Scenario 3 + - The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. - In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). + In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). @@ -69,7 +72,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https: 6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again. 7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 20. 8. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -9. Open Windows Configuration Designer and click **Provison desktop services**. +9. Open Windows Configuration Designer and click **Provision desktop services**. 10. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. 11. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. @@ -111,7 +114,7 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir 3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. 4. Click **Add**, type **Authenticated users**, and then click **OK** three times. 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -6. Open Windows Configuration Designer and click **Provison desktop services**. +6. Open Windows Configuration Designer and click **Provision desktop services**. 7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 6b18acd8ae..38d957f492 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -49,8 +49,8 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Install VAMT using the ADK -1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. -Reminder: There won't be new ADK release for 1909. +1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install). + If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database. 2. Enter an install location or use the default path, and then select **Next**. 3. Select a privacy setting, and then select **Next**. 4. Accept the license terms. diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 7389bcd273..0fcb1ad99c 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -57,7 +57,7 @@ get-help get-VamtProduct -all ``` **Warning** -The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278). +The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/vamt). **To view VAMT PowerShell Help sections** diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 99b5479318..1a47bd0cf9 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -1,6 +1,6 @@ --- title: Windows 10 deployment process posters -description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot. +description: View and download Windows 10 deployment process flows for Microsoft Endpoint Manager and Windows Autopilot. ms.reviewer: manager: laurawi ms.audience: itpro diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 61d5af710d..2146d2fb9f 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -159,7 +159,7 @@ For more information about Windows Autopilot, see [Overview of Windows Autopilot For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 87baccf225..180f2dd30b 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -128,7 +128,7 @@ Topics and procedures in this guide are summarized in the following table. An es Stop-Process -Name Explorer ``` -2. Download [Microsoft Endpoint Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. +2. Download [Microsoft Endpoint Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. 3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: @@ -188,7 +188,7 @@ Topics and procedures in this guide are summarized in the following table. An es cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe ``` -18. Provide the following in the Microsoft Endpoint Configuration Manager Setup Wizard: +18. Provide the following in the Microsoft Endpoint Manager Setup Wizard: - **Before You Begin**: Read the text and click *Next*. - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - Click **Yes** in response to the popup window. @@ -283,7 +283,7 @@ This section contains several procedures to support Zero Touch installation with 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. 4. Click the yellow starburst and then click **New Account**. 5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. -6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice. +6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice. ### Configure a boundary group @@ -320,7 +320,7 @@ WDSUTIL /Set-Server /AnswerClients:None > If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. -2. In the Microsoft Endpoint Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. +2. In the Microsoft Endpoint Manager console, in the **Administration** workspace, click **Distribution Points**. 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. 4. On the PXE tab, select the following settings: - **Enable PXE support for clients**. Click **Yes** in the popup that appears. @@ -770,8 +770,8 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted. - X:\smstslog\smsts.log after disks are formatted. - - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed. - - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed. + - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Manager client is installed. + - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Manager client is installed. - C:\Windows\ccm\logs\smsts.log when the task sequence is complete. Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index a956b7fa4b..86d6e33e83 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -214,7 +214,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon 2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: - 
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
+ 
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: @@ -542,8 +542,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: 
-    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
-    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+    Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
+    $x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
     Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
@@ -551,7 +551,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 
     Get-Volume -DriveLetter $x
-    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
+ Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd ### Configure Hyper-V @@ -712,7 +712,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 
     Rename-Computer DC1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+    New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
     Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
@@ -749,7 +749,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to netsh dhcp add securitygroups Restart-Service DHCPServer Add-DhcpServerInDC dc1.contoso.com 192.168.0.1 - Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2 + Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2 10. Next, add a DHCP scope and set option values: @@ -785,7 +785,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to **Configure service and user accounts** - Windows 10 deployment with MDT and Microsoft Endpoint Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) @@ -886,7 +886,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 
     Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
-    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+    Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. @@ -917,7 +917,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 
     Rename-Computer SRV1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+    New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
     Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
     Restart-Computer
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index fb1755d660..eb894fafdc 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -83,6 +83,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each > [!NOTE] > The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> [!NOTE] +> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants. + For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: - Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. @@ -91,7 +94,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). -If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) +If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) #### Multi-factor authentication diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 6b57a9ab0d..4753557b61 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -53,6 +53,8 @@ These are the things you'll need to complete this lab: A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. +> If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version. + [Verify support for Hyper-V](#verify-support-for-hyper-v)
[Enable Hyper-V](#enable-hyper-v)
[Create a demo VM](#create-a-demo-vm) @@ -70,7 +72,8 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
    [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
    [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -
       [Assign the profile](#assign-the-profile) +
       [Create a device group](#create-a-device-group) +
       [Create the deployment profile](#create-the-deployment-profile)
    [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
[See Windows Autopilot in action](#see-windows-autopilot-in-action)
[Remove devices from Autopilot](#remove-devices-from-autopilot) @@ -140,7 +143,7 @@ After we have set the ISO file location and determined the name of the appropria You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). - When asked to select a platform, choose **64 bit**. -After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). +After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). 1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. 2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. @@ -163,7 +166,7 @@ For example, if the command above displays Ethernet but you wish to use Ethernet All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. > [!IMPORTANT] -> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.

If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

If you have never created an external VM switch before, then just run the commands below. +> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.

If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

If you have never created an external VM switch before, then just run the commands below.

If you are not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that is used to connect to the Internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch). ```powershell New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name @@ -218,6 +221,9 @@ PS C:\autopilot> ### Install Windows 10 +> [!NOTE] +> The VM will be booted to gather a hardware ID, then it will be reset. The goal in the next few steps is to get to the desktop quickly so don't worry about how it is configured at this stage. The VM only needs to be connected to the Internet. + Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: ![Windows setup example 1](images/winsetup1.png) @@ -250,7 +256,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see Follow these steps to run the PS script: -1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: +1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: ```powershell md c:\HWID @@ -263,18 +269,20 @@ Follow these steps to run the PS script: When you are prompted to install the NuGet package, choose **Yes**. -See the sample output below. +See the sample output below. A 'dir' command is issued at the end to show the file that was created. 
 PS C:\> md c:\HWID
 
-    Directory: C:\
+     Directory: C:\
 
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/14/2019  11:33 AM                HWID
 
-PS C:\> Set-Location c:\HWID
+Mode                 LastWriteTime         Length Name
+----                 -------------         ------ ----
+d-----        11/13/2020   3:00 PM                HWID
+
+
+PS C:\Windows\system32> Set-Location c:\HWID
 PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
 PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
 
@@ -287,13 +295,17 @@ import the NuGet provider now?
 [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
 PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
 PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
 PS C:\HWID> dir
 
+
     Directory: C:\HWID
 
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
+
+Mode                 LastWriteTime         Length Name
+----                 -------------         ------ ----
+-a----        11/13/2020   3:01 PM           8184 AutopilotHWID.csv
+
 
 PS C:\HWID>
@@ -305,7 +317,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory ![Serial number and hardware hash](images/hwid.png) -You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). +You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. @@ -317,7 +329,7 @@ If you have trouble copying and pasting the file, just view the contents in Note With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. -Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. +Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**. ![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) @@ -363,7 +375,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. -![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) +![MDM user scope in the Mobility blade](images/ap-aad-mdm.png) ## Register your VM @@ -371,24 +383,24 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B ### Autopilot registration using Intune -1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. +1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. - ![Intune device import](images/device-import.png) + ![Intune device import](images/enroll1.png) > [!NOTE] > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank. - ![HWID CSV](images/hwid-csv.png) + ![HWID CSV](images/enroll2.png) You should receive confirmation that the file is formatted correctly before uploading it, as shown above. 3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. -4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. +4. Click **Refresh** to verify your VM or device has been added. See the following example. - ![Import HWID](images/import-vm.png) + ![Import HWID](images/enroll3.png) ### Autopilot registration using MSfB @@ -425,17 +437,33 @@ Pick one: ### Create a Windows Autopilot deployment profile using Intune > [!NOTE] -> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: +> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list. -![Intune Devices](images/intune-devices.png) +![Devices](images/enroll4.png) -> The example above lists both a physical device and a VM. Your list should only include only one of these. +#### Create a device group -To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** +The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group: -![Deployment profiles](images/deployment-profiles.png) +1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**. +2. In the **Group** blade: + 1. For **Group type**, choose **Security**. + 2. Type a **Group name** and **Group description** (ex: Autopilot Lab). + 3. Azure AD roles can be assigned to the group: **No** + 4. For **Membership type**, choose **Assigned**. +3. Click **Members** and add the Autopilot VM to the group. See the following example: -Click on **Create profile**. + ![add members](images/group1.png) + +4. Click **Create**. + +#### Create the deployment profile + +To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**. + +![Deployment profiles](images/dp.png) + +Click on **Create profile** and then select **Windows PC**. ![Create deployment profile](images/create-profile.png) @@ -444,22 +472,33 @@ On the **Create profile** blade, use the following values: | Setting | Value | |---|---| | Name | Autopilot Lab profile | -| Description | blank | +| Description | Lab | | Convert all targeted devices to Autopilot | No | -| Deployment mode | User-driven | -| Join to Azure AD as | Azure AD joined | -Click on **Out-of-box experience (OOBE)** and configure the following settings: +Click **Next** to continue with the **Out-of-box experience (OOBE)** settings: | Setting | Value | |---|---| -| EULA | Hide | +| Deployment mode | User-driven | +| Join to Azure AD as | Azure AD joined | +| Microsoft Sofware License Terms | Hide | | Privacy Settings | Hide | | Hide change account options | Hide | | User account type | Standard | +| Allow White Glove OOBE | No | +| Language (Region) | Operating system default | +| Automatically configure keyboard | Yes | | Apply device name template | No | -See the following example: +Click **Next** to continue with the **Assignments** settings: + +| Setting | Value | +|---|---| +| Assign to | Selected groups | + +1. Click **Select groups to include**. +2. Click the **Autopilot Lab** group, and then click **Select**. +3. Click **Next** to continue and then click **Create**. See the following example: ![Deployment profile](images/profile.png) @@ -467,40 +506,6 @@ Click on **OK** and then click on **Create**. > If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). -#### Assign the profile - -Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. - -To create a Group, open the Azure portal and select **Azure Active Directory** > **Groups** > **All groups**: - -![All groups](images/all-groups.png) - -Select New group from the Groups blade to open the new groups UI. Select the "Security" group type, name the group, and select the "Assigned" membership type: - -Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. - -![New group](images/new-group.png) - -Now click **Create** to finish creating the new group. - -Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. - -With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). - -From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: - -![Lab profile](images/deployment-profiles2.png) - -Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). - -![Include group](images/include-group.png) - -Click **Select** and then click **Save**. - -![Include group save](images/include-group2.png) - -It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). - ### Create a Windows Autopilot deployment profile using MSfB If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. @@ -559,14 +564,17 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com - Turn on the device - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). -![OOBE sign-in page](images/autopilot-oobe.jpg) +![OOBE sign-in page](images/autopilot-oobe.png) Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. -![Device enabled](images/enabled-device.png) +![Device enabled](images/devices1.png) Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. +> [!TIP] +> If you recieve a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use" then verify you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user. + Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. ## Remove devices from Autopilot @@ -575,41 +583,27 @@ To use the device (or VM) for other purposes after completion of this lab, you w ### Delete (deregister) Autopilot device -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu. ![Delete device step 1](images/delete-device1.png) -Click **X** when challenged to complete the operation: - -![Delete device step 2](images/delete-device2.png) - This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. -![Delete device step 3](images/delete-device3.png) - The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. > [!NOTE] > A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. -To remove the device from the Autopilot program, select the device and click Delete. +To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion. -![Delete device step 4](images/delete-device4.png) - -A warning message appears reminding you to first remove the device from Intune, which we previously did. - -![Delete device step 5](images/delete-device5.png) +![Delete device](images/delete-device2.png) At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: -![Delete device step 6](images/delete-device6.png) - Once the device no longer appears, you are free to reuse it for other purposes. If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: -![Delete device step 7](images/delete-device7.png) - ## Appendix A: Verify support for Hyper-V Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. @@ -741,7 +735,7 @@ You will be able to find your app in your app list: #### Assign the app to your Intune profile > [!NOTE] -> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. +> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here. In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: @@ -810,7 +804,7 @@ Click **OK** and then click **Add**. #### Assign the app to your Intune profile > [!NOTE] -> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. +> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here. In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: diff --git a/windows/deployment/windows-autopilot/images/ap-aad-mdm.png b/windows/deployment/windows-autopilot/images/ap-aad-mdm.png new file mode 100644 index 0000000000..ece310f978 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/ap-aad-mdm.png differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-oobe.png b/windows/deployment/windows-autopilot/images/autopilot-oobe.png new file mode 100644 index 0000000000..9cfea73377 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-oobe.png differ diff --git a/windows/deployment/windows-autopilot/images/create-profile.png b/windows/deployment/windows-autopilot/images/create-profile.png index 52f087721d..d2816e9c89 100644 Binary files a/windows/deployment/windows-autopilot/images/create-profile.png and b/windows/deployment/windows-autopilot/images/create-profile.png differ diff --git a/windows/deployment/windows-autopilot/images/delete-device1.png b/windows/deployment/windows-autopilot/images/delete-device1.png index e73f929fbd..770c8e5b02 100644 Binary files a/windows/deployment/windows-autopilot/images/delete-device1.png and b/windows/deployment/windows-autopilot/images/delete-device1.png differ diff --git a/windows/deployment/windows-autopilot/images/delete-device2.png b/windows/deployment/windows-autopilot/images/delete-device2.png index ed764ac1ed..188c72d67b 100644 Binary files a/windows/deployment/windows-autopilot/images/delete-device2.png and b/windows/deployment/windows-autopilot/images/delete-device2.png differ diff --git a/windows/deployment/windows-autopilot/images/device-status.png b/windows/deployment/windows-autopilot/images/device-status.png index 5a78973ce5..a5627040ec 100644 Binary files a/windows/deployment/windows-autopilot/images/device-status.png and b/windows/deployment/windows-autopilot/images/device-status.png differ diff --git a/windows/deployment/windows-autopilot/images/devices1.png b/windows/deployment/windows-autopilot/images/devices1.png new file mode 100644 index 0000000000..459aa19c69 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/devices1.png differ diff --git a/windows/deployment/windows-autopilot/images/dp.png b/windows/deployment/windows-autopilot/images/dp.png new file mode 100644 index 0000000000..a133c72491 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/dp.png differ diff --git a/windows/deployment/windows-autopilot/images/enroll1.png b/windows/deployment/windows-autopilot/images/enroll1.png new file mode 100644 index 0000000000..4bc9be72bb Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll1.png differ diff --git a/windows/deployment/windows-autopilot/images/enroll2.png b/windows/deployment/windows-autopilot/images/enroll2.png new file mode 100644 index 0000000000..62e7344da1 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll2.png differ diff --git a/windows/deployment/windows-autopilot/images/enroll3.png b/windows/deployment/windows-autopilot/images/enroll3.png new file mode 100644 index 0000000000..3501d5036c Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll3.png differ diff --git a/windows/deployment/windows-autopilot/images/enroll4.png b/windows/deployment/windows-autopilot/images/enroll4.png new file mode 100644 index 0000000000..fc7215b68f Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll4.png differ diff --git a/windows/deployment/windows-autopilot/images/group1.png b/windows/deployment/windows-autopilot/images/group1.png new file mode 100644 index 0000000000..2ccc8db248 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/group1.png differ diff --git a/windows/deployment/windows-autopilot/images/profile.png b/windows/deployment/windows-autopilot/images/profile.png index 40cf26bee2..1c6c734a74 100644 Binary files a/windows/deployment/windows-autopilot/images/profile.png and b/windows/deployment/windows-autopilot/images/profile.png differ diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json index 0dbfe2d2e9..42439e1e7b 100644 --- a/windows/device-security/docfx.json +++ b/windows/device-security/docfx.json @@ -40,7 +40,16 @@ "depot_name": "MSDN.win-device-security", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json index ff3ab96c92..5270a33f5d 100644 --- a/windows/eulas/docfx.json +++ b/windows/eulas/docfx.json @@ -37,7 +37,16 @@ "globalMetadata": { "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json", "extendBreadcrumb": true, - "feedback_system": "None" + "feedback_system": "None", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md index 25ef07d002..eaeb093642 100644 --- a/windows/hub/TOC.md +++ b/windows/hub/TOC.md @@ -1,6 +1,6 @@ # [Windows 10](index.yml) ## [What's new](/windows/whats-new) -## [Release information](/windows/release-information) +## [Release information](/windows/release-health) ## [Deployment](/windows/deployment) ## [Configuration](/windows/configuration) ## [Client management](/windows/client-management) diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml index a28aaa3b77..e2971f2d84 100644 --- a/windows/hub/breadcrumb/toc.yml +++ b/windows/hub/breadcrumb/toc.yml @@ -27,7 +27,7 @@ topicHref: /windows/client-management/mdm/index - name: Release information tocHref: /windows/release-information/ - topicHref: /windows/release-information/index + topicHref: /windows/release-health/release-information - name: Privacy tocHref: /windows/privacy/ topicHref: /windows/privacy/index diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 07a8ea153b..898e842c41 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -36,6 +36,7 @@ "globalMetadata": { "audience": "ITPro", "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "ms.topic": "article", "feedback_system": "GitHub", @@ -47,7 +48,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows 10 for IT Pros" + "titleSuffix": "Windows 10 for IT Pros", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 75355791f6..bac6a47a7b 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -33,7 +33,7 @@ landingContent: - text: What's new in Windows 10, version 1909 url: /windows/whats-new/whats-new-windows-10-version-1909 - text: Windows 10 release information - url: https://docs.microsoft.com/windows/release-information/ + url: https://docs.microsoft.com/windows/release-health/release-information # Card (optional) - title: Configuration diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index 884e478dcb..eecc6e8b2e 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -36,7 +36,16 @@ "depot_name": "MSDN.keep-secure", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json index ebcaf22f82..4592f86de8 100644 --- a/windows/known-issues/docfx.json +++ b/windows/known-issues/docfx.json @@ -38,7 +38,16 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json index a65600c79b..e96e3ebf76 100644 --- a/windows/manage/docfx.json +++ b/windows/manage/docfx.json @@ -35,7 +35,16 @@ "depot_name": "MSDN.windows-manage", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/media/phase-diagrams/deployment-phases.png b/windows/media/phase-diagrams/deployment-phases.png new file mode 100644 index 0000000000..4d2a4fa946 Binary files /dev/null and b/windows/media/phase-diagrams/deployment-phases.png differ diff --git a/windows/media/phase-diagrams/migration-phases.png b/windows/media/phase-diagrams/migration-phases.png new file mode 100644 index 0000000000..d502450fba Binary files /dev/null and b/windows/media/phase-diagrams/migration-phases.png differ diff --git a/windows/media/phase-diagrams/onboard.png b/windows/media/phase-diagrams/onboard.png new file mode 100644 index 0000000000..b6a29de3bf Binary files /dev/null and b/windows/media/phase-diagrams/onboard.png differ diff --git a/windows/media/phase-diagrams/prepare.png b/windows/media/phase-diagrams/prepare.png new file mode 100644 index 0000000000..1001e41e0d Binary files /dev/null and b/windows/media/phase-diagrams/prepare.png differ diff --git a/windows/media/phase-diagrams/setup.png b/windows/media/phase-diagrams/setup.png new file mode 100644 index 0000000000..1635785046 Binary files /dev/null and b/windows/media/phase-diagrams/setup.png differ diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json index a05d2009a6..d4e156d3c2 100644 --- a/windows/plan/docfx.json +++ b/windows/plan/docfx.json @@ -35,7 +35,16 @@ "depot_name": "MSDN.windows-plan", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 12bf3f543c..792337ed12 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Use this article to learn more about what Windows 10 version 1809 diagnostic data is gathered at the basic level. title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -312,7 +312,6 @@ The following fields are available: - **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -328,7 +327,6 @@ The following fields are available: - **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -344,7 +342,6 @@ The following fields are available: - **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. - **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -360,7 +357,6 @@ The following fields are available: - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. @@ -376,7 +372,6 @@ The following fields are available: - **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. @@ -392,7 +387,6 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -408,7 +402,6 @@ The following fields are available: - **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. @@ -424,7 +417,6 @@ The following fields are available: - **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -440,7 +432,6 @@ The following fields are available: - **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -456,7 +447,6 @@ The following fields are available: - **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -472,7 +462,6 @@ The following fields are available: - **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. @@ -488,7 +477,6 @@ The following fields are available: - **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. @@ -504,7 +492,6 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -520,7 +507,6 @@ The following fields are available: - **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. @@ -536,7 +522,6 @@ The following fields are available: - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. @@ -549,7 +534,6 @@ The following fields are available: - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. - **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. - **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryDeviceContainer** A count of device container objects in cache. @@ -579,7 +563,6 @@ The following fields are available: - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_20H1** The count of the number of this particular object type present on this device. - **Wmdrm_20H1Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 1623bf2d24..51c8baac0e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what required Windows diagnostic data is gathered. +description: Use this article to learn more about what required Windows 10 version 1903 diagnostic data is gathered. title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -274,8 +274,6 @@ The following fields are available: - **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_21H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -287,8 +285,6 @@ The following fields are available: - **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -303,8 +299,6 @@ The following fields are available: - **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_21H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. - **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -319,8 +313,6 @@ The following fields are available: - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. @@ -332,8 +324,6 @@ The following fields are available: - **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. @@ -345,8 +335,6 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -359,8 +347,6 @@ The following fields are available: - **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_21H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. @@ -375,8 +361,6 @@ The following fields are available: - **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_21H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -388,8 +372,6 @@ The following fields are available: - **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_21H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -404,8 +386,6 @@ The following fields are available: - **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_21H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -420,8 +400,6 @@ The following fields are available: - **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. @@ -433,8 +411,6 @@ The following fields are available: - **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. @@ -446,8 +422,6 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -459,8 +433,6 @@ The following fields are available: - **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_21H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. @@ -473,8 +445,6 @@ The following fields are available: - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_21H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. @@ -488,8 +458,6 @@ The following fields are available: - **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. - **DecisionTest_20H1** The count of the number of this particular object type present on this device. - **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionTest_21H1** The count of the number of this particular object type present on this device. -- **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryDeviceContainer** A count of device container objects in cache. @@ -518,8 +486,6 @@ The following fields are available: - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_20H1** The count of the number of this particular object type present on this device. - **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_21H1** The count of the number of this particular object type present on this device. -- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index f7ff32cbfe..bb7dfb718c 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -33,6 +33,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", @@ -45,8 +46,19 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Privacy" + "titleSuffix": "Windows Privacy", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, + "searchScope": ["Windows 10"] + }, "fileMetadata": {}, "template": [], "dest": "privacy", diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index d53f7dc795..1c68d554a4 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -8,10 +8,10 @@ ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high audience: ITPro -author: medgarmedgar +author: robsize ms.author: dansimp manager: robsize -ms.date: 3/25/2020 +ms.date: 12/1/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 956ca7dc78..b40f5823e6 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -10,11 +10,11 @@ ms.sitesec: library ms.localizationpriority: high audience: ITPro author: linque1 -ms.author: obezeajo +ms.author: robsize manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 7/7/2020 +ms.date: 12/1/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services @@ -390,7 +390,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo > [!NOTE] -> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**. +> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Optional (Full)**. Although the diagnostic data level may initially appear as **Required (Basic)**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Optional (Full)**. To turn off Insider Preview builds for a released version of Windows 10: @@ -1302,7 +1302,7 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- Click either the **Basic** or **Full** options. +- Click either the **Required (Basic)** or **Optional (Full)** options. -or- @@ -1659,7 +1659,7 @@ You can turn off **Enhanced Notifications** as follows: -or- -- Create a new REG_SZ registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** to a value of **1**. +- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. ### 24.1 Windows Defender SmartScreen diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index aec2607c4f..8ec7b613c3 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -456,4 +456,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index 75b7e8cde2..9525d0fed9 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -461,4 +461,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index e29d853c05..6ff4c469cf 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -15,6 +15,7 @@ ms.topic: article ms.date: 6/26/2018 ms.reviewer: --- + # Manage connection endpoints for Windows 10 Enterprise, version 1809 **Applies to** @@ -30,17 +31,17 @@ Some Windows components, app, and related services transfer data to Microsoft ne - Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. We used the following methodology to derive these network endpoints: -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -49,70 +50,70 @@ We used the following methodology to derive these network endpoints: ## Apps -The following endpoint is used to download updates to the Weather app Live Tile. +The following endpoint is used to download updates to the Weather app Live Tile. If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. | Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | +|:--------------:|:--------:|:------------| +| explorer | HTTP | tile-service.weather.microsoft.com | | | HTTP | blob.weather.microsoft.com | -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | cdn.onenote.net/livetile/?Language=en-US | -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | wildcard.twimg.com | | svchost.exe | | oem.twimg.com/windows/tile.xml | -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | | star-mini.c10r.facebook.com | -The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | TLS v1.2 | candycrushsoda.king.com | -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | -The following endpoint is used by the Groove Music app for update HTTP handler status. +The following endpoint is used by the Groove Music app for update HTTP handler status. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. | Source process | Protocol | Destination | @@ -123,7 +124,7 @@ The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | wbd.ms | | | HTTPS | int.whiteboard.microsoft.com | | | HTTPS | whiteboard.microsoft.com | @@ -135,28 +136,28 @@ The following endpoint is used to get images that are used for Microsoft Store s If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | searchui | HTTPS |store-images.s-microsoft.com | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | backgroundtaskhost | HTTPS | www.bing.com/client | -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | backgroundtaskhost | HTTPS | www.bing.com/proactive | The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | ## Certificates @@ -164,13 +165,13 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. +These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. | Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | +|:--------------:|:--------:|:------------| +| svchost | HTTP | ctldl.windowsupdate.com | ## Device authentication @@ -178,7 +179,7 @@ The following endpoint is used to authenticate a device. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | login.live.com/ppsecure | ## Device metadata @@ -187,7 +188,7 @@ The following endpoint is used to retrieve device metadata. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | | dmd.metaservices.microsoft.com.akadns.net | | | HTTP | dmd.metaservices.microsoft.com | @@ -197,21 +198,21 @@ The following endpoint is used by the Connected User Experiences and Telemetry c If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | | cy2.vortex.data.microsoft.com.akadns.net | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | wermgr | | watson.telemetry.microsoft.com | | | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | @@ -221,9 +222,9 @@ The following endpoints are used to download fonts on demand. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | +| | | fs.microsoft.com/fs/windows/config.json | ## Licensing @@ -231,7 +232,7 @@ The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | ## Location @@ -240,7 +241,7 @@ The following endpoint is used for location data. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTP | location-inference-westus.cloudapp.net | | | HTTPS | inference.location.live.net | @@ -250,16 +251,16 @@ The following endpoint is used to check for updates to maps that have been downl If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. | Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | +|:--------------:|:--------:|:------------| +| svchost | HTTPS | *g.akamaiedge.net | ## Microsoft account -The following endpoints are used for Microsoft accounts to sign in. +The following endpoints are used for Microsoft accounts to sign in. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | | login.msa.akadns6.net | | | | login.live.com | | | | account.live.com | @@ -272,29 +273,29 @@ The following endpoint is used for the Windows Push Notification Services (WNS). If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | *.wns.windows.com | -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTP | storecatalogrevocation.storequality.microsoft.com | -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | | backgroundtransferhost | HTTPS | store-images.microsoft.com | -The following endpoints are used to communicate with Microsoft Store. +The following endpoints are used to communicate with Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTP | storeedgefd.dsx.mp.microsoft.com | | | HTTP \ HTTPS | pti.store.microsoft.com | ||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| @@ -302,48 +303,48 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op ## Network Connection Status Indicator (NCSI) -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTP | www.msftconnecttest.com/connecttest.txt | ## Office -The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. | Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | +|:--------------:|:--------:|:------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | | | | *.e-msedge.net | | | | *.s-msedge.net | | | HTTPS | ocos-office365-s2s.msedge.net | | | HTTPS | nexusrules.officeapps.live.com | | | HTTPS | officeclient.microsoft.com | -The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | system32\Auth.Host.exe | HTTPS | outlook.office365.com | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| |Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| The following endpoint is used to connect the Office To-Do app to it's cloud service. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | |HTTPS|to-do.microsoft.com| ## OneDrive @@ -352,15 +353,15 @@ The following endpoint is a redirection service that’s used to automatically u If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. | Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | +|:--------------:|:--------:|:------------| +| onedrive | HTTPS | oneclient.sfx.ms | ## Settings @@ -368,21 +369,21 @@ The following endpoint is used as a way for apps to dynamically update their con If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | dmclient | | cy2.settings.data.microsoft.com.akadns.net | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | dmclient | HTTPS | settings.data.microsoft.com | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | HTTPS | settings-win.data.microsoft.com | ## Skype @@ -390,7 +391,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| |microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | | | HTTPS | browser.pipe.aria.microsoft.com | | | | skypeecs-prod-usw-0-b.cloudapp.net | @@ -401,14 +402,14 @@ The following endpoint is used for Windows Defender when Cloud-based Protection If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | | wdcp.microsoft.com | The following endpoints are used for Windows Defender definition updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | | definitionupdates.microsoft.com | |MpCmdRun.exe|HTTPS|go.microsoft.com | @@ -416,10 +417,10 @@ The following endpoints are used for Windows Defender Smartscreen reporting and If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | | HTTPS | ars.smartscreen.microsoft.com | | | HTTPS | unitedstates.smartscreen-prod.microsoft.com | -| | | smartscreen-sn3p.smartscreen.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | ## Windows Spotlight @@ -427,7 +428,7 @@ The following endpoints are used to retrieve Windows Spotlight metadata that des If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | backgroundtaskhost | HTTPS | arc.msn.com | | backgroundtaskhost | | g.msn.com.nsatc.net | | |TLS v1.2| *.search.msn.com | @@ -440,22 +441,22 @@ The following endpoint is used for Windows Update downloads of apps and OS updat If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. +The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | HTTP | *.windowsupdate.com | | svchost | HTTP | *.dl.delivery.mp.microsoft.com | -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | HTTPS | *.update.microsoft.com | | svchost | HTTPS | *.delivery.mp.microsoft.com | @@ -467,7 +468,7 @@ The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. | Source process | Protocol | Destination | -|----------------|----------|------------| +|:--------------:|:--------:|:------------| | svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | @@ -478,7 +479,7 @@ The following endpoint is used by the Microsoft forward link redirection service If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. | Source process | Protocol | Destination | -|----------------|----------|------------| +|----------------|:--------:|------------| |Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions @@ -496,4 +497,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) +- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index a2fffa2486..9aa743d944 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -187,6 +187,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index ba34b2d47b..9fe2ca8cc1 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -73,7 +73,6 @@ The following methodology was used to derive these network endpoints: ||The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|TLS v1.2|inference.location.live.net| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| ||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTP|*maps.windows.com| -|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLS v1.2|*login.live.com| |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| @@ -138,4 +137,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index df3f9bb1e9..aea5913427 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.localizationpriority: high audience: ITPro author: linque1 -ms.author: obezeajo +ms.author: robsize manager: robsize ms.collection: M365-security-compliance ms.topic: article @@ -113,6 +113,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|*.windowsupdate.com| ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com| |||TLSv1.2|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|TLSv1.2|tsfe.trafficshaping.dsp.mp.microsoft.com| |Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2|dlassets-ssl.xboxlive.com| @@ -137,4 +138,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md new file mode 100644 index 0000000000..d449b47b4c --- /dev/null +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -0,0 +1,158 @@ +--- +title: Connection endpoints for Windows 10 Enterprise, version 20H2 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2. +keywords: privacy, manage connections to Microsoft, Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/17/2020 +--- + +# Manage connection endpoints for Windows 10 Enterprise, version 20H2 + +**Applies to** + +- Windows 10 Enterprise, version 20H2 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. + +The following methodology was used to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 20H2 Enterprise connection endpoints + +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| +|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||TLSv1.2/HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|I-ring.msedge.net| +|||HTTPS|s-ring.msedge.net| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +|||HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|||HTTPS|fs.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| +||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTP|share.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|www.office.com| +|||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|officehomeblobs.blob.core.windows.net| +|||HTTPS|self.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||TLSv1.2/HTTPS/HTTP|g.live.com| +|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms| +|||HTTPS| logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| +|||HTTPS|settings.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS/TLSv1.2|wdcp.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +|||HTTPS/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLSv1.2/HTTPS/HTTP|arc.msn.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|dlassets-ssl.xboxlive.com| + + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index a1832d8486..2605b80713 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what required Windows diagnostic data is gathered. +description: Use this article to learn more about what required Windows 10 version 2004 and version 20H2 diagnostic data is gathered. title: Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -61,10 +61,6 @@ The following fields are available: - **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_21H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. @@ -74,8 +70,6 @@ The following fields are available: - **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -89,8 +83,6 @@ The following fields are available: - **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_21H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. - **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -104,8 +96,6 @@ The following fields are available: - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. @@ -117,8 +107,6 @@ The following fields are available: - **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. @@ -130,8 +118,6 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -143,8 +129,6 @@ The following fields are available: - **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_21H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. @@ -158,8 +142,6 @@ The following fields are available: - **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_21H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -171,8 +153,6 @@ The following fields are available: - **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_21H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -186,8 +166,6 @@ The following fields are available: - **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_21H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -201,8 +179,6 @@ The following fields are available: - **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. @@ -214,8 +190,6 @@ The following fields are available: - **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. @@ -227,8 +201,6 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -240,8 +212,6 @@ The following fields are available: - **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_21H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. @@ -253,8 +223,6 @@ The following fields are available: - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_21H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. @@ -265,8 +233,6 @@ The following fields are available: - **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. - **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionTest_21H1** The count of the number of this particular object type present on this device. -- **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. @@ -288,8 +254,6 @@ The following fields are available: - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_20H1** The count of the number of this particular object type present on this device. - **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_21H1** The count of the number of this particular object type present on this device. -- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. @@ -1638,7 +1602,7 @@ The following fields are available: - **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -1786,7 +1750,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: - **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. - **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function. - **LongDateFormat** The long date format the user has selected. @@ -6052,7 +6016,7 @@ The following fields are available: ### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript -This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly. +This event is triggered whenever Microsoft Defender for Endpoint onboarding script is run. The data collected with this event is used to keep Windows performing properly. The following fields are available: diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 60bf83c118..52a6ddd6da 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -41,6 +41,8 @@ href: manage-connections-from-windows-operating-system-components-to-microsoft-services.md - name: Manage connections from Windows operating system components to Microsoft services using MDM href: manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md + - name: Connection endpoints for Windows 10, version 20H2 + href: manage-windows-20H2-endpoints.md - name: Connection endpoints for Windows 10, version 2004 href: manage-windows-2004-endpoints.md - name: Connection endpoints for Windows 10, version 1909 @@ -53,6 +55,8 @@ href: manage-windows-1803-endpoints.md - name: Connection endpoints for Windows 10, version 1709 href: manage-windows-1709-endpoints.md + - name: Connection endpoints for non-Enterprise editions of Windows 10, version 20H2 + href: windows-endpoints-20H2-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 2004 href: windows-endpoints-2004-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1909 diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md new file mode 100644 index 0000000000..66a3637398 --- /dev/null +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -0,0 +1,266 @@ +--- +title: Windows 10, version 20H2, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 20H2. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 12/17/2020 +--- +# Windows 10, version 20H2, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 20H2 +- Windows 10 Professional, version 20H2 +- Windows 10 Education, version 20H2 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-2004-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 20H2. + +The following methodology was used to derive the network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week. If you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Area** | **Description** | **Protocol** | **Destination** | +|-----------|--------------- |------------- |-----------------| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||HTTPS/HTTP|fp.msedge.net| +|||HTTPS/HTTP|k-ring.msedge.net| +|||TLSv1.2|b-ring.msedge.net| +|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| +|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content| +|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net| +|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net| +|||HTTPS/HTTP|dev.virtualearth.net| +|||HTTPS/HTTP|ecn.dev.virtualearth.net| +|||HTTPS/HTTP|ssl.bing.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.|HTTPS/HTTP|edge.activity.windows.com| +|||HTTPS/HTTP|edge.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|HTTP|go.microsoft.com/fwlink/| +|||TLSv1.2/HTTPS/HTTP|go.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com| +|||TLSv1.2/HTTPS|office.com| +|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||HTTP/HTTPS|*.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|||HTTP|roaming.officeapps.live.com| +|||HTTPS/HTTP|substrate.office.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|||HTTPS/HTTP|windows.policies.live.net| +|||HTTPS/HTTP|api.onedrive.com| +|||HTTPS/HTTP|skydrivesync.policies.live.net| +|||HTTPS/HTTP|*storage.live.com| +|||HTTPS/HTTP|*settings.live.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| +||||wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +|||TLSv1.2|definitionupdates.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*| +|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com| +|||HTTPS|mucp.api.account.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.| +|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| +|||HTTPS|www.xboxab.com| +| + +## Windows 10 Pro + +| **Area** | **Description** | **Protocol** | **Destination** | +| --- | --- | --- | ---| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com| +|||TLSv1.2/HTTPS|office.com| +|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||HTTP/HTTPS|*.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com| +|||HTTPS/HTTP|substrate.office.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|||HTTPS/HTTP|windows.policies.live.net| +|||HTTPS/HTTP|*storage.live.com| +|||HTTPS/HTTP|*settings.live.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| +||||wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*| +|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.| +|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| +| + +## Windows 10 Education + +| **Area** | **Description** | **Protocol** | **Destination** | +| --- | --- | --- | ---| +| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com| +|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net| +|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*| +|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|odinvzc.azureedge.net| +|||TLSv1.2|b-ring.msedge.net| +|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com| +|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||TLSv1.2/HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*| +|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com| +|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com| +|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com| +|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTPS|storesdk.dsx.mp.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com| +|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net| +|||TLSv1.2|self.events.data.microsoft.com| +|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com| +|||TLSv1.2/HTTPS|oneclient.sfx.ms| +|||HTTPS/TLSv1.2|logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*| +|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com| +||||wdcpalt.microsoft.com| +|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com| +|||TLSv1.2/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*| +|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||TLSv1.2/HTTP|emdl.ws.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com| +|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com| +||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoints are used for Xbox Live.| +|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com| +|||TLSv1.2/HTTPS|da.xboxservices.com| diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json index 4dcacaf204..40211ae3b7 100644 --- a/windows/release-information/docfx.json +++ b/windows/release-information/docfx.json @@ -41,7 +41,16 @@ "audience": "ITPro", "titleSuffix": "Windows Release Information", "extendBreadcrumb": true, - "feedback_system": "None" + "feedback_system": "None", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/security/docfx.json b/windows/security/docfx.json index ab00e42eba..e8accb5982 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -21,7 +21,8 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif", + "**/*.svg" ], "exclude": [ "**/obj/**", @@ -33,6 +34,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article", "manager": "dansimp", "audience": "ITPro", @@ -45,7 +47,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Microsoft 365 Security" + "titleSuffix": "Microsoft 365 Security", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": { "titleSuffix":{ diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 7f7f58c2b8..16e55efb95 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -18,7 +18,7 @@ #### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md) #### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md) -## [Windows Hello for Business](hello-for-business/hello-identity-verification.md) +## [Windows Hello for Business](hello-for-business/index.yml) ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md) diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 8e6cf74f38..61288f4b01 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md index 2ae163cea6..f207928d15 100644 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ b/windows/security/identity-protection/access-control/active-directory-accounts.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 61198672fc..e408ad9ba8 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management @@ -576,7 +576,7 @@ This security group has not changed since Windows Server 2008. - + @@ -645,7 +645,7 @@ This security group has not changed since Windows Server 2008. - + @@ -717,7 +717,7 @@ This security group includes the following changes since Windows Server 2008: - + @@ -865,7 +865,7 @@ This security group has not changed since Windows Server 2008. - + @@ -987,7 +987,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1113,7 +1113,7 @@ This security group was introduced in Windows Vista Service Pack 1, and it h - + @@ -1241,7 +1241,7 @@ The Device Owners group applies to versions of the Windows Server operating syst - + @@ -1430,7 +1430,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1493,7 +1493,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1552,7 +1552,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1613,7 +1613,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1674,7 +1674,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1737,11 +1737,11 @@ This security group has not changed since Windows Server 2008. - + - + @@ -1950,7 +1950,7 @@ This security group has not changed since Windows Server 2008. - + @@ -1985,13 +1985,13 @@ This security group has not changed since Windows Server 2008. -### Group Policy Creators Owners +### Group Policy Creator Owners This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx). -The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). +The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). This security group has not changed since Windows Server 2008. @@ -2009,7 +2009,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2093,12 +2093,11 @@ This security group has not changed since Windows Server 2008. - + - + @@ -2150,7 +2149,7 @@ This security group was introduced in Windows Server 2012, and it has not chang - + @@ -2162,7 +2161,7 @@ This security group was introduced in Windows Server 2012, and it has not chang - + @@ -2211,7 +2210,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2286,7 +2285,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2389,7 +2388,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2470,7 +2469,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2551,7 +2550,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2615,7 +2614,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2679,7 +2678,7 @@ This security group has not changed since Windows Server 2008. However, in Windo - + @@ -2758,7 +2757,7 @@ The following table specifies the properties of the Protected Users group. - + @@ -2819,7 +2818,7 @@ This security group has not changed since Windows Server 2008. - + @@ -2876,11 +2875,11 @@ This security group was introduced in Windows Server 2012, and it has not chang - + - + @@ -2939,7 +2938,7 @@ This security group was introduced in Windows Server 2012, and it has not chang - + @@ -3000,7 +2999,7 @@ This security group was introduced in Windows Server 2012, and it has not chang - + @@ -3035,6 +3034,78 @@ This security group was introduced in Windows Server 2012, and it has not chang +### Read-Only Domain Controllers + +This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. + +Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: + +- Read-only AD DS database + +- Unidirectional replication + +- Credential caching + +- Administrator role separation + +- Read-only Domain Name System (DNS) + +For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx). + +This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. + +
Microsoft Endpoint Configuration Manager and Intune (hybrid)Microsoft Endpoint Manager and Intune (hybrid)

Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

Select this method when you:

    -
  • Selected Microsoft Endpoint Configuration Manager to deploy Windows 10.
    • +
  • Selected Microsoft Endpoint Manager to deploy Windows 10.
  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
  • Want to manage domain-joined devices.
  • Want to manage Azure AD domain-joined devices.
    • @@ -483,9 +525,9 @@ Record the app and update management methods that you selected in Table 7. |Selection | Management method| |----------|------------------| -| |Microsoft Endpoint Configuration Manager by itself| +| |Microsoft Endpoint Manager by itself| | |Intune by itself| -| |Microsoft Endpoint Configuration Manager and Intune (hybrid mode)| +| |Microsoft Endpoint Manager and Intune (hybrid mode)| *Table 7. App and update management methods selected* @@ -512,7 +554,8 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft. You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. ->**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. +> [!NOTE] +> If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT). @@ -526,15 +569,17 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Install the Configuration Manager console ->**Note**  If you selected Microsoft Endpoint Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. +> [!NOTE] +> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers. -For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Configuration Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). +For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). ### Configure MDT integration with the Configuration Manager console ->**Note**  If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in the [Select the deployment methods](#select-the-deployment-methods) section, then skip this section and continue to the next. +> [!NOTE] +> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next. You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT. @@ -544,7 +589,7 @@ For more information, see [Enable Configuration Manager Console Integration for #### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in the [Select the deployment methods](#select-the-deployment-methods) section). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. ## Create and configure Office 365 @@ -590,13 +635,19 @@ You will use the Office 365 Education license plan information you record in Tab To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. ->**Note**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365). +> [!NOTE] +> If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365). #### To create a new Office 365 subscription 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - > **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: - >
    • In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window.
    • In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing.
    + + > [!NOTE] + > If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: + > + > - In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window. + > + > - In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing. 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**. @@ -631,7 +682,8 @@ Now that you have created your new Office 365 Education subscription, add the do To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. ->**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush). +> [!NOTE] +> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush). Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: @@ -640,7 +692,8 @@ Office 365 uses the domain portion of the user’s email address to know which O You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. ->**Note**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. +> [!NOTE] +> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -651,13 +704,15 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi *Table 10. Windows PowerShell commands to enable or disable automatic tenant join* ->**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. ### Disable automatic licensing To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. ->**Note**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. +> [!NOTE] +> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -678,7 +733,7 @@ The following Azure AD Premium features are not in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata -* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) +* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) * Identify cloud apps that your users run * Self-service recovery of BitLocker * Add local administrator accounts to Windows 10 devices @@ -709,9 +764,11 @@ Now that you have an Office 365 subscription, you must determine how you’ll cr In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. ->**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). +> [!NOTE] +> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). -![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") +> [!div class="mx-imgBorder"] +> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") *Figure 5. Automatic synchronization between AD DS and Azure AD* @@ -721,7 +778,8 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. -![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") +> [!div class="mx-imgBorder"] +> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") *Figure 6. Bulk import into Azure AD from other sources* @@ -742,7 +800,8 @@ In this section, you selected the method for creating user accounts in your Offi You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. ->**Note**  If your institution does not have an on-premises AD DS domain, you can skip this section. +> [!NOTE] +> If your institution does not have an on-premises AD DS domain, you can skip this section. ### Select a synchronization model @@ -752,13 +811,15 @@ You can deploy the Azure AD Connect tool: - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. - ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") + > [!div class="mx-imgBorder"] + > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") *Figure 7. Azure AD Connect on premises* - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") + > [!div class="mx-imgBorder"] + > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") *Figure 8. Azure AD Connect in Azure* @@ -815,7 +876,8 @@ In this section, you selected your synchronization model, deployed Azure AD Conn You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. ->**Note**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. +> [!NOTE] +> If your institution doesn’t have an on-premises AD DS domain, you can skip this section. ### Select the bulk import method @@ -823,7 +885,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T |Method |Description and reason to select this method | |-------|---------------------------------------------| -|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| |VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).| |Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| @@ -845,7 +907,8 @@ After you have selected your user and group account bulk import method, you’re With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. ->**Note**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. +> [!NOTE] +> Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. For more information about how to import user accounts into AD DS by using: @@ -865,7 +928,8 @@ You can bulk-import user and group accounts directly into Office 365, reducing t Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. ->**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). @@ -873,7 +937,8 @@ The bulk-add process assigns the same Office 365 Education license plan to all u For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). ->**Note**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. +> [!NOTE] +> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. The email accounts are assigned temporary passwords on creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. @@ -881,13 +946,15 @@ The email accounts are assigned temporary passwords on creation. You must commun Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. ->**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US). You can add and remove users from security groups at any time. ->**Note**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect. +> [!NOTE] +> Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect. ### Create email distribution groups @@ -895,7 +962,8 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. ->**Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. +> [!NOTE] +> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US). @@ -957,7 +1025,8 @@ After you create the Microsoft Store for Business portal, configure it by using Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. ->**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. +> [!NOTE] +> Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps. @@ -989,13 +1058,15 @@ Depending on your school’s requirements, you may need any combination of the f * Upgrade institution-owned devices to Windows 10 Education. * Deploy new instances of Windows 10 Education so that new devices have a known configuration. ->**Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades). +> [!NOTE] +> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades). For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. ->**Note**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. +> [!NOTE] +> On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. @@ -1077,7 +1148,7 @@ At the end of this section, you should know the Windows 10 editions and processo ## Prepare for deployment -Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. +Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. ### Configure the MDT deployment share @@ -1173,7 +1244,8 @@ For more information about how to update a deployment share, see + - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
    For third-party MDM providers or management servers, check your product documentation. @@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app. -- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. +- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. -- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. +- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. -- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. +- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. -- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. +- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. -     -**To download an offline-licensed app** +**To download an offline-licensed app** -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. -3. Click **Settings**. -4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. -5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. -6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**. +3. Click **Settings**. +4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. +6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. @@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app > [!NOTE] > You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible. - - - -   - -  - -  - - - - - diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 168974c2fa..82518ed170 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,11 +2,17 @@ -## Week of October 26, 2020 +## Week of January 25, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 10/27/2020 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified | -| 10/27/2020 | [Device Guard signing (Windows 10)](/microsoft-store/device-guard-signing-portal) | modified | -| 10/27/2020 | [Sign code integrity policy with Device Guard signing (Windows 10)](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing) | modified | +| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified | + + +## Week of January 11, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/14/2021 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified | diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 4b9707b563..59be6fdc1c 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -12,7 +12,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/17/2017 +ms.date: --- # Microsoft Store for Business and Microsoft Store for Education overview @@ -22,7 +22,10 @@ ms.date: 10/17/2017 - Windows 10 - Windows 10 Mobile -Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. +Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. + +> [!IMPORTANT] +> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. ## Features Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education: diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 9d5a58c992..0dc7ab9ece 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -12,7 +12,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/13/2017 +ms.date: --- # Prerequisites for Microsoft Store for Business and Education @@ -22,6 +22,9 @@ ms.date: 10/13/2017 - Windows 10 - Windows 10 Mobile +> [!IMPORTANT] +> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. + There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education. ## Prerequisites diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 9df4554e37..3f6ef46e23 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -40,7 +40,16 @@ "depot_name": "MSDN.win-access-protection", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index 009019e015..dd38c101dd 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to connect to the Management Console (Windows 10) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index a16ae77ec8..743c824815 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,7 +1,7 @@ --- title: About the connection group virtual environment (Windows 10) description: Learn how the connection group virtual environment works and how package priority is determined. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 60c1c72c77..36691ab472 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,7 +1,7 @@ --- title: How to convert a package created in a previous version of App-V (Windows 10) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 312adeb09b..62787b9a7c 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,7 +1,7 @@ --- title: How to create a connection croup with user-published and globally published packages (Windows 10) description: How to create a connection croup with user-published and globally published packages. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 829708fe4f..509167b5f4 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to create a connection group (Windows 10) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 273b520a59..42081976ef 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to create a custom configuration file by using the App-V Management Console (Windows 10) description: How to create a custom configuration file by using the App-V Management Console. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 600df5f713..d6a62ddf52 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator by using Windows PowerShell (Windows 10) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index db4fe23b68..d2c69c8afb 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator (Windows 10) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index c6983aab02..200f0481e4 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) description: How to create a virtual application package using an App-V Package Accelerator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 54aa412604..0af67b340d 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,7 +1,7 @@ --- title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index b7ee707a61..30debd58c4 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,7 +1,7 @@ --- title: Creating and managing App-V virtualized applications (Windows 10) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index aae5ad7d4c..ebbdf508c3 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) description: How to customize virtual application extensions for a specific AD group by using the Management Console. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index 20c62b4398..60a5518fe9 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to delete a connection group (Windows 10) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 16a77e0287..27a1adeb35 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to delete a package in the Management Console (Windows 10) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 4717b5e4ef..f7ccc22f58 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 3c47fd5076..29719a0f8c 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to deploy App-V packages using electronic software distribution (Windows 10) description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 07407291fe..f2c8cc0af3 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server Using a Script (Windows 10) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index 9284a9bfc6..ec7bcac622 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server (Windows 10) description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 14493f0b25..5061447ca8 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,7 +1,7 @@ --- title: Deploying App-V (Windows 10) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 736d772dfc..143b808f76 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index fee5c296a1..d4567acef0 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index ba7107286e..5a7bb4a95a 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2016 by using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 37adcaae5e..5e3c484a69 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Deploying App-V packages by using electronic software distribution (ESD) description: Deploying App-V packages by using electronic software distribution (ESD) -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 8cb954168b..15f8f520d4 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Sequencer and configuring the client (Windows 10) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 97f97275be..fad40ca584 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Server (Windows 10) description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index d09d0141d8..e64dfcb45c 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Deployment Checklist (Windows 10) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 196cb62ece..fac027c816 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,7 +1,7 @@ --- title: About App-V Dynamic Configuration (Windows 10) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 601bfd8297..013c9bf60d 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 39a072c558..ba86d9400f 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index c7985565d4..e9352f15ee 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,7 +1,7 @@ --- title: Enable the App-V in-box client (Windows 10) description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 9eb57e8521..c5d8ac6964 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,7 +1,7 @@ --- title: Evaluating App-V (Windows 10) description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index bec88a55bf..d089cb3371 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,7 +1,7 @@ --- title: Application Virtualization (App-V) (Windows 10) description: See various topics that can help you administer Application Virtualization (App-V) and its components. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 03f116312a..8fc9117868 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,7 +1,7 @@ --- title: Getting Started with App-V (Windows 10) description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 941e4f58e7..cf81569563 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,7 +1,7 @@ --- title: High-level architecture for App-V (Windows 10) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index 82b6545be6..fed3c5c9ec 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index ffffedff20..2b99c85da9 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,7 +1,7 @@ --- title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 44e1be2801..f8c387ecb8 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) description: How to install the Management Server on a Standalone Computer and Connect it to the Database -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index f08f5dfe4d..df6dc6c726 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,7 +1,7 @@ --- title: Install the Publishing Server on a Remote Computer (Windows 10) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index d476fda616..17251170f3 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 7a13e789c6..0c3ae2e9a0 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,7 +1,7 @@ --- title: Install the App-V Sequencer (Windows 10) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index bc8cd9361e..4c3530ae6b 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,7 +1,7 @@ --- title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index e03e524b5a..ca2c8811c9 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,7 +1,7 @@ --- title: Maintaining App-V (Windows 10) description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index c7f1214405..78190c4689 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index d4e01266f8..d6e03d17a6 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 9b5aa14320..f308ee42da 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,7 +1,7 @@ --- title: Managing Connection Groups (Windows 10) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index a3600bfa4c..63e362cc4c 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,7 +1,7 @@ --- title: Migrating to App-V from a Previous Version (Windows 10) description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index c065c9a2a5..6a6da20d55 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,7 +1,7 @@ --- title: How to Modify an Existing Virtual Application Package (Windows 10) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 816015f740..9b7fa5dc90 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index e34dd4f7dc..8d46833f6d 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,7 +1,7 @@ --- title: How to Move the App-V Server to Another Computer (Windows 10) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index b68da536ab..a916d38776 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,7 +1,7 @@ --- title: Operations for App-V (Windows 10) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index ea4f11a42b..d7c8078b33 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,7 +1,7 @@ --- title: Performance Guidance for Application Virtualization (Windows 10) description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 4c098ba090..e2d9776c2c 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Planning Checklist (Windows 10) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 2a6724419a..0b9b995319 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Use Folder Redirection with App-V (Windows 10) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index 8aa07c226e..94b436fd53 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Server Deployment (Windows 10) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 0ebf3ccaf3..39d5199ea8 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,7 +1,7 @@ --- title: Planning for App-V (Windows 10) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 29d772054e..9f01735aab 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning for High Availability with App-V Server description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 0f797ad9d7..52019b0496 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Sequencer and Client Deployment (Windows 10) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 91ade82d46..32b20fa1e6 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,7 +1,7 @@ --- title: Planning for Deploying App-V with Office (Windows 10) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 49e7266314..10fd13f4cc 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) description: Planning to Deploy App-V with an Electronic Software Distribution System -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index be621c72e2..f08a2b2b44 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V (Windows 10) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index b1a6caca2c..3138fa3ab3 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. -There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. +There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry. Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 09bd474c3e..460b8ecfdd 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", @@ -43,7 +44,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Application Management" + "titleSuffix": "Windows Application Management", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index b99a2d3ee4..aac950751a 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -1,5 +1,6 @@ # [Manage clients in Windows 10](index.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) +### [Use Quick Assist to help users](quick-assist.md) ## [Create mandatory user profiles](mandatory-user-profile.md) ## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 4af9868736..c27a78fa4c 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -17,17 +17,17 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution. +This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. -## Known Issues +## Known issues None -## Data Collection +## Data collection See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md). @@ -35,11 +35,11 @@ See [Advanced troubleshooting 802.1X authentication data collection](data-collec Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. -NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy). +NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article. -Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. +Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. -In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it. +In the event message, scroll to the very bottom, and then check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. ![example of an audit failure](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

    @@ -47,35 +47,35 @@ In the event message, scroll to the very bottom, and check the [Reason Code](htt ![example of an audit success](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
    -‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. -On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example: +On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) -Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). +Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. -First, validate the type of EAP method being used: +First, validate the type of EAP method that's used: ![eap authentication type comparison](images/comparisontable.png) -If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section. +If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section. ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) -The CAPI2 event log will be useful for troubleshooting certificate-related issues. -This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**. +The CAPI2 event log is useful for troubleshooting certificate-related issues. +By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**. ![screenshot of event viewer](images/capi.png) -The following article explains how to analyze CAPI2 event logs: +For information about how to analyze CAPI2 event logs, see [Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). -When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: +When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: ![authenticator flow chart](images/authenticator_flow_chart.png) -If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: +If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples: ![client-side packet capture data](images/clientsidepacket_cap_data.png) *Client-side packet capture data*

    @@ -85,16 +85,16 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both ‎ > [!NOTE] -> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below. +> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example: ![ETL parse](images/etl.png) ## Audit policy -NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. +By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. View the current audit policy settings by running the following command on the NPS server: -``` +```console auditpol /get /subcategory:"Network Policy Server" ``` @@ -106,13 +106,12 @@ Logon/Logoff Network Policy Server Success and Failure -If it shows ‘No auditing’, you can run this command to enable it: - -``` +If it says, "No auditing," you can run this command to enable it: +```console auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable ``` -Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**. +Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**. ## Additional references diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index ee8a044508..69fa51d4e4 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -4,10 +4,11 @@ description: In Windows 10, version 1809, the default removal policy for externa ms.prod: w10 author: Teresa-Motiv ms.author: v-tea -ms.date: 12/13/2019 +ms.date: 11/25/2020 ms.topic: article ms.custom: - CI 111493 +- CI 125140 - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium @@ -44,6 +45,13 @@ To change the policy for an external storage device: ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) -6. Select **Policies**, and then select the policy you want to use. +6. Select **Policies**. + + > [!NOTE] + > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. + > + > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. + +7. Select the policy that you want to use. ![Policy options for disk management](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 13ee43e312..3e360929de 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,14 +22,15 @@ ms.topic: article - Windows 10 -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). ![Remote Desktop Connection client](images/rdp.png) ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. -- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined if using Windows 10 version 1607 and above, or Azure AD registered if using Windows 10 version 2004 and above. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported. +- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. @@ -41,57 +42,45 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Click **Select Users -> Add** and enter the name of the user or group. - - > [!NOTE] - > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: - > ```powershell - > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" - > ``` - > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > - > This command only works for AADJ device users already added to any of the local groups (administrators). - > Otherwise this command throws the below error. For example: - > - for cloud only user: "There is no such global user or group : *name*" - > - for synced user: "There is no such global user or group : *name*"
    - - > [!NOTE] - > In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: + + - Adding users manually - 4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: + ```powershell + net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" + ``` + where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > [!TIP] - > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. + This command only works for AADJ device users already added to any of the local groups (administrators). + Otherwise this command throws the below error. For example: + - for cloud only user: "There is no such global user or group : *name*" + - for synced user: "There is no such global user or group : *name*"
    - > [!Note] - > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). + > [!NOTE] + > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. + > + > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + + - Adding users using policy + + Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + + > [!TIP] + > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. + + > [!NOTE] + > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). ## Supported configurations -In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following: +The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC: -- Password -- Smartcards -- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager. +| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device | +| - | - | - | - | +| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above | +| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust | -In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following: - -- Password -- Smartcards -- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. - -In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - -- Password -- Smartcards -- Windows Hello for Business, with or without an MDM subscription. - -In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - -- Password -- Windows Hello for Business, with or without an MDM subscription. > [!NOTE] > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index ffd1c9d266..694a7e8b07 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", @@ -45,7 +46,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Client Management" + "titleSuffix": "Windows Client Management", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/images/quick-assist-flow.png new file mode 100644 index 0000000000..5c1d83741f Binary files /dev/null and b/windows/client-management/images/quick-assist-flow.png differ diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index dc31960057..2950a6c6d9 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -19,13 +19,13 @@ ms.topic: article - Windows 10, Windows Server 2016 -You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. -To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. +You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. >[!Note] >Each server that you want to manage access to the Settings App must be patched. -To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. +If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra). This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. @@ -39,7 +39,7 @@ Policy paths: ## Configuring the Group Policy -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] > When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index e875d5d3a7..3675333e76 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -172,30 +172,58 @@ #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) +#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) +#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) +#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +#### [ADMX_CredSsp](policy-csp-admx-credssp.md) +#### [ADMX_CredUI](policy-csp-admx-credui.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) +#### [ADMX_DataCollection](policy-csp-admx-datacollection.md) +#### [ADMX_Desktop](policy-csp-admx-desktop.md) +#### [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md) +#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) #### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) #### [ADMX_DWM](policy-csp-admx-dwm.md) +#### [ADMX_EAIME](policy-csp-admx-eaime.md) #### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md) +#### [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md) +#### [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md) #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) +#### [ADMX_EventLog](policy-csp-admx-eventlog.md) +#### [ADMX_Explorer](policy-csp-admx-explorer.md) #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) #### [ADMX_FileSys](policy-csp-admx-filesys.md) #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) +#### [ADMX_Globalization](policy-csp-admx-globalization.md) +#### [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md) #### [ADMX_Help](policy-csp-admx-help.md) #### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md) +#### [ADMX_ICM](policy-csp-admx-icm.md) #### [ADMX_kdc](policy-csp-admx-kdc.md) +#### [ADMX_Kerberos](policy-csp-admx-kerberos.md) #### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md) +#### [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md) #### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md) +#### [ADMX_Logon](policy-csp-admx-logon.md) +#### [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md) #### [ADMX_MMC](policy-csp-admx-mmc.md) #### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md) #### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md) +#### [ADMX_msched](policy-csp-admx-msched.md) +#### [ADMX_MSDT](policy-csp-admx-msdt.md) +#### [ADMX_MSI](policy-csp-admx-msi.md) #### [ADMX_nca](policy-csp-admx-nca.md) #### [ADMX_NCSI](policy-csp-admx-ncsi.md) #### [ADMX_Netlogon](policy-csp-admx-netlogon.md) @@ -203,24 +231,35 @@ #### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +#### [ADMX_Power](policy-csp-admx-power.md) #### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) +#### [ADMX_Printing](policy-csp-admx-printing.md) +#### [ADMX_Printing2](policy-csp-admx-printing2.md) +#### [ADMX_Programs](policy-csp-admx-programs.md) #### [ADMX_Reliability](policy-csp-admx-reliability.md) +#### [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md) +#### [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md) +#### [ADMX_RPC](policy-csp-admx-rpc.md) #### [ADMX_Scripts](policy-csp-admx-scripts.md) #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) #### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) #### [ADMX_Sensors](policy-csp-admx-sensors.md) #### [ADMX_Servicing](policy-csp-admx-servicing.md) +#### [ADMX_SettingSync](policy-csp-admx-settingsync.md) #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) #### [ADMX_Sharing](policy-csp-admx-sharing.md) #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) +#### [ADMX_SkyDrive](policy-csp-admx-skydrive.md) #### [ADMX_Smartcard](policy-csp-admx-smartcard.md) #### [ADMX_Snmp](policy-csp-admx-snmp.md) #### [ADMX_StartMenu](policy-csp-admx-startmenu.md) +#### [ADMX_SystemRestore](policy-csp-admx-systemrestore.md) #### [ADMX_Taskbar](policy-csp-admx-taskbar.md) #### [ADMX_tcpip](policy-csp-admx-tcpip.md) #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) #### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) @@ -229,9 +268,12 @@ #### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) #### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_WinLogon](policy-csp-admx-winlogon.md) #### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) +#### [ADMX_WPN](policy-csp-admx-wpn.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 0e1870a49d..15937b2e7c 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,6 +1,6 @@ --- title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Configuration Manager or App-V server. +description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp ## Executive summary -

    Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

    +

    Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

    MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

    diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 706b102207..61ff7e767b 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,24 +1,29 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal +description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 01/17/2018 +ms.date: 12/18/2020 ms.reviewer: manager: dansimp --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal -Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade +> [!NOTE] +> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com). + +1. Go to your Azure AD Blade. +2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. +3. Select **Microsoft Intune** and configure the blade. ![How to get to the Blade](images/azure-mdm-intune.png) -Configure the Blade +Configure the blade ![Configure the Blade](images/azure-intune-configure-scope.png) -Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users. +You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 07f3aa7f0f..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml @@ -1126,12 +1130,12 @@ Supported values: |-----|------------| | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| | 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| -| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 2 |The OS volume is unprotected.| | 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| | 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| | 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| | 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -| 7 |The OS volume is unprotected.| +| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| | 8 |Recovery key backup failed.| | 9 |A fixed drive is unprotected.| | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 2818c2e55f..c0c9fdf44c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console. +> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index b1d4002955..556ff58e7a 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -21,6 +21,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
    - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
    -Properties/SleepMode | ## October 2020 diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d064a375ca..dcf8eec173 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2728,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices: | [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| @@ -2737,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices: | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2745,7 +2747,9 @@ The following list shows the CSPs supported in HoloLens devices: ## CSPs supported in Microsoft Surface Hub -- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**. +- [Accounts CSP](accounts-csp.md)9 + > [!NOTE] + > Support in Surface Hub is limited to **Domain\ComputerName**. - [AccountManagement CSP](accountmanagement-csp.md) - [APPLICATION CSP](application-csp.md) - [CertificateStore CSP](certificatestore-csp.md) @@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update +- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index da9959c0a2..040bf33710 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -390,6 +390,66 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +**Configuration/DisableLocalAdminMerge**
    +This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. + +If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. + +If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. + +> [!NOTE] +> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. + +Supported OS versions: Windows 10 + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/DisableCpuThrottleOnIdleScans**
    +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/MeteredConnectionUpdates**
    +Allow managed devices to update through metered connections. Data charges may apply. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/AllowNetworkProtectionOnWinServer**
    +This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/ExclusionIpAddress**
    +Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses. + +The data type is string. + +Supported operations are Add, Delete, Get, Replace. + **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2c49067d90..fb9c1a57d8 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -199,8 +199,111 @@ A Get to the above URI will return the results of the data gathering for the las Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. -The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults. +### Making use of the uploaded data +The zip archive which is created and uploaded by the CSP contains a folder structure like the following: +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + + Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +la--- 1/4/2021 2:45 PM 1 +la--- 1/4/2021 2:45 PM 2 +la--- 12/2/2020 6:27 PM 2701 results.xml +``` +Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was HKLM\Software\Policies then folder `1` will contain the corresponding `export.reg` file. + +The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed. + +```xml + + 268b3056-8c15-47c6-a1bd-4bc257aef7b2 + HKLM\Software\Policies + %windir%\system32\netsh.exe wlan show profiles + +``` + +Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details. +```powershell +Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++} +``` +This example produces output similar to the following: +``` +DirectiveNumber DirectiveHRESULT DirectiveInput +--------------- ---------------- -------------- + 1 0 HKLM\Software\Policies + 2 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall + 3 0 HKLM\Software\Microsoft\IntuneManagementExtension + 4 0 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall + 5 0 %windir%\system32\ipconfig.exe /all + 6 0 %windir%\system32\netsh.exe advfirewall show allprofiles + 7 0 %windir%\system32\netsh.exe advfirewall show global + 8 -2147024895 %windir%\system32\netsh.exe wlan show profiles +``` + +The next example extracts the zip archive into a customized flattened file structure. Each file name includes the directive number, HRESULT, and so on. This example could be customized to make different choices about what information to include in the file names and what formatting choices to make for special characters. + +```powershell +param( $DiagnosticArchiveZipPath = "C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip" ) + +#region Formatting Choices +$flatFileNameTemplate = '({0:D2}) ({3}) (0x{2:X8})' +$maxLengthForInputTextPassedToOutput = 80 +#endregion + +#region Create Output Folders and Expand Zip +$diagnosticArchiveTempUnzippedPath = $DiagnosticArchiveZipPath + "_expanded" +if(-not (Test-Path $diagnosticArchiveTempUnzippedPath)){mkdir $diagnosticArchiveTempUnzippedPath} +$reformattedArchivePath = $DiagnosticArchiveZipPath + "_formatted" +if(-not (Test-Path $reformattedArchivePath)){mkdir $reformattedArchivePath} +Expand-Archive -Path $DiagnosticArchiveZipPath -DestinationPath $diagnosticArchiveTempUnzippedPath +#endregion + +#region Discover and Move/rename Files +$resultElements = ([xml](Get-Content -Path (Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath "results.xml"))).Collection.ChildNodes | Foreach-Object{ $_ } +$n = 0 +foreach( $element in $resultElements ) +{ + $directiveNumber = $n + $n++ + if($element.Name -eq 'ID'){ continue } + $directiveType = $element.Name + $directiveStatus = [int]$element.Attributes.ItemOf('HRESULT').psbase.Value + $directiveUserInputRaw = $element.InnerText + $directiveUserInputFileNameCompatible = $directiveUserInputRaw -replace '[\\|/\[\]<>\:"\?\*%\.\s]','_' + $directiveUserInputTrimmed = $directiveUserInputFileNameCompatible.substring(0, [System.Math]::Min($maxLengthForInputTextPassedToOutput, $directiveUserInputFileNameCompatible.Length)) + $directiveSummaryString = $flatFileNameTemplate -f $directiveNumber,$directiveType,$directiveStatus,$directiveUserInputTrimmed + $directiveOutputFolder = Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath $directiveNumber + $directiveOutputFiles = Get-ChildItem -Path $directiveOutputFolder -File + foreach( $file in $directiveOutputFiles) + { + $leafSummaryString = $directiveSummaryString,$file.Name -join ' ' + Copy-Item $file.FullName -Destination (Join-Path -Path $reformattedArchivePath -ChildPath $leafSummaryString) + } +} +#endregion +Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse +``` +That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly: + +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name + + Length Name + ------ ---- + 46640 (01) (HKLM_Software_Policies) (0x00000000) export.reg + 203792 (02) (HKLM_Software_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 214902 (03) (HKLM_Software_Microsoft_IntuneManagementExtension) (0x00000000) export.reg + 212278 (04) (HKLM_SOFTWARE_WOW6432Node_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 2400 (05) (_windir__system32_ipconfig_exe__all) (0x00000000) output.log + 2147 (06) (_windir__system32_netsh_exe_advfirewall_show_allprofiles) (0x00000000) output.log + 1043 (07) (_windir__system32_netsh_exe_advfirewall_show_global) (0x00000000) output.log + 59 (08) (_windir__system32_netsh_exe_wlan_show_profiles) (0x80070001) output.log + 1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log + 5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log +``` ## Policy area diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 3cb1682333..35fe6568b0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -44,7 +44,8 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). +> [!NOTE] +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -157,4 +158,3 @@ When the disconnection is completed, the user is notified that the device has be - diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 7ef806784f..f4c951af17 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -138,10 +138,11 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p 2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it. The dummy value is not set; it is only used for comparison. -3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. +3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data. 4. Parse this log for the report XML content. -For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs). +For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-manager-logs). + **Post-GDR1: Retrieve the report xml file using an SD card** @@ -460,7 +461,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL ``` -## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs +## Retrieve a device update report using Microsoft Endpoint Manager logs **For pre-GDR1 devices** Use this procedure for pre-GDR1 devices: diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index a6ac91e10f..08073b46d6 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,22 +7,22 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: -ms.reviewer: +ms.reviewer: manager: dansimp --- # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. Requirements: - AD-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The enterprise has configured a mobile device management (MDM) service +- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad) - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) -- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. +- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. > [!TIP] > For additional information, see the following topics: @@ -30,10 +30,10 @@ Requirements: > - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. > [!NOTE] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -42,13 +42,13 @@ In Windows 10, version 1709 or later, when the same policy is configured in GP a For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. ## Verify auto-enrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. ![Intune license verification](images/auto-enrollment-intune-license-verification.png) -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) @@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service: ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. +7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). @@ -95,33 +95,35 @@ This procedure is only for illustration purposes to show how the new auto-enroll Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured +- Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD 1. Run GPEdit.msc - Click Start, then in the text box type gpedit. + Click Start, then in the text box type gpedit. ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. -3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. +3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. - ![MDM policies](images/autoenrollment-mdm-policies.png) + ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) + > [!NOTE] + > **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported. + ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. - > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > The default behavior for older releases is to revert to **User Credential**. + > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -150,11 +152,11 @@ Requirements: 2. Under **Best match**, click **Task Scheduler** to launch it. -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. @@ -162,46 +164,49 @@ Requirements: Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third party service provider) +- Enterprise has MDM service already configured (with Intune or a third-party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. > [!IMPORTANT] > If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. -1. Download: - +1. Download: + - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) - + - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) - + - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - - - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)]( -https://www.microsoft.com/download/confirmation.aspx?id=1005915) + + - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - -2. Install the package on the Domain Controller. - -3. Navigate, depending on the version to the folder: - - - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - - - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - - - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + +2. Install the package on the Domain Controller. + +3. Navigate, depending on the version to the folder: + + - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** + + - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** + + - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** + - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + + - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** + + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. - -5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. - + +5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. - + 6. Restart the Domain Controller for the policy to be available. This procedure will work for any future version as well. @@ -215,7 +220,7 @@ This procedure will work for any future version as well. 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. +Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -251,13 +256,13 @@ To collect Event Viewer logs: Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. - If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot: + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. + A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 81f161b9b1..4f516e8c19 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -12,8 +12,8 @@ ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: +The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. + If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory - Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) @@ -21,8 +21,8 @@ The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Pro - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. +**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9bad3fe712..12547591ba 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -14,41 +14,38 @@ ms.date: 06/26/2017 # FileSystem CSP - The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. -> **Note**  FileSystem CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. +> [!NOTE] +> FileSystem CSP is only supported in Windows 10 Mobile. - +> [!NOTE] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. ![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) -**FileSystem** +**FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path. The following properties are supported for the root node: -- `Name`: The root node name. The Get command is the only supported command. +- `Name`: The root node name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. -***file directory*** +***file directory*** Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements. The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code. @@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d The following properties are supported for file directories: -- `Name`: The file directory name. The Get command is the only supported command. +- `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command. -***file name*** +***file name*** Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead. The Delete command deletes the file. @@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie The following properties are supported for files: -- `Name`: The file name. The Get command is the only supported command. +- `Name`: The file name. The Get command is the only supported command. -- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. +- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. +- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. -- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index c2e89912d8..52848ed620 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -1,6 +1,6 @@ --- title: Get localized product details -description: The Get localized product details operation retrieves the localization information of a product from the Micosoft Store for Business. +description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business. ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901 ms.reviewer: manager: dansimp @@ -9,12 +9,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 09/18/2017 +ms.date: 12/07/2020 --- # Get localized product details -The **Get localized product details** operation retrieves the localization information of a product from the Micosoft Store for Business. +The **Get localized product details** operation retrieves the localization information of a product from the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index 7f75857534..662580acde 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -1,6 +1,6 @@ --- title: Get product package -description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business. +description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business. ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get product package -The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business. +The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png deleted file mode 100644 index 7ee23eda5d..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png deleted file mode 100644 index a1ca65c3f4..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png deleted file mode 100644 index 87f685d460..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png deleted file mode 100644 index 1832454fbc..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png deleted file mode 100644 index c85e74d141..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png and /dev/null differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 1c9ca9aba5..f74caeda09 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -12,7 +12,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 11/15/2017 +ms.date: 11/19/2020 --- # MDM enrollment of Windows 10-based devices @@ -248,33 +248,6 @@ To create a local account and connect the device: After you complete the flow, your device will be connected to your organization’s MDM. - -### Connect to MDM on a phone (enroll in device management) - -1. Launch the Settings app, and then select **Accounts**. - - ![phone settings](images/unifiedenrollment-rs1-38.png) - -2. Select **Access work or school**. - - ![phone settings](images/unifiedenrollment-rs1-39.png) - -3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - - ![access work or school page](images/unifiedenrollment-rs1-40.png) - -4. Enter your work email address. - - ![enter your email address](images/unifiedenrollment-rs1-41.png) - -5. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - -6. After you complete the flow, your device will be connected to your organization’s MDM. - - ![completed mdm enrollment](images/unifiedenrollment-rs1-42.png) - ### Help with connecting personally-owned devices There are a few instances where your device may not be able to connect to work. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ee9ee3c5f7..e6dc9c5ed6 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s |New or updated article|Description| |-----|-----| | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
    - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
    - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
    - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
    - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
    - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
    - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
    - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
    - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
    -Properties/SleepMode | | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
    - Settings/AllowWindowsDefenderApplicationGuard | ## What’s new in MDM for Windows 10, version 2004 @@ -48,7 +49,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s | New or updated article | Description | |-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
    - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
    - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
    - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
    - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceinstanceids)
    - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceinstanceids)
    - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
    - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
    - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
    - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
    - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
    - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
    - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
    - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
    - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
    - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
    - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
    - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
    - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
    - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
    - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
    - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
    - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
    - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
    - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
    - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
    - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
    - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
    - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
    - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
    - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
    - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
    - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
    - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
    - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
    - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
    - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
    - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
    - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| +|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
    - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
    - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
    - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
    - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
    - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
    - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
    - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
    - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
    - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
    - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
    - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
    - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
    - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
    - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
    - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
    - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
    - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
    - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
    - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
    - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
    - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
    - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
    - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
    - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
    - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
    - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
    - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
    - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
    - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
    - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
    - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
    - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
    - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
    - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
    - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
    - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
    - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
    - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| | [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | | [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | | [Defender CSP](defender-csp.md) | Added the following new nodes:
    - Health/TamperProtectionEnabled
    - Health/IsVirtualMachine
    - Configuration
    - Configuration/TamperProtection
    - Configuration/EnableFileHashComputation | diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 8ede74a7a6..a93f4e23d3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -21,7 +21,8 @@ ms.date: 10/08/2020 > - [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) +- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies) +- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) - [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) - [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) - [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) @@ -41,6 +42,16 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) +- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles) +- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules) +- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) +- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) +- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) +- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk) +- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel) +- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion) +- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion) +- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) - [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) - [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) @@ -60,11 +71,95 @@ ms.date: 10/08/2020 - [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder) - [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1) - [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2) +- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls) +- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) +- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) +- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) +- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable) +- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) +- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) +- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) +- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) +- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly) +- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials) +- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle) +- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials) +- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly) +- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials) +- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly) +- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials) +- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials) +- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials) +- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration) +- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) +- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) - [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff) +- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy) +- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter) +- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder) +- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit) +- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon) +- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop) +- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges) +- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop) +- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard) +- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon) +- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon) +- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon) +- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood) +- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer) +- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments) +- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood) +- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon) +- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties) +- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings) +- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts) +- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper) +- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd) +- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose) +- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel) +- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit) +- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents) +- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title) +- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose) +- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving) +- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper) +- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall) +- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext) +- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext) +- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout) +- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime) +- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) +- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) +- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) +- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) +- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) @@ -95,9 +190,82 @@ ms.date: 10/08/2020 - [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2) - [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1) - [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2) +- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist) +- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion) +- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary) +- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput) +- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration) +- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary) +- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile) +- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate) +- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs) +- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate) +- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers) +- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport) - [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove) +- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices) +- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos) +- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication) +- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices) +- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock) +- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices) +- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef) +- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex) +- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc) +- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport) +- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults) +- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1) +- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2) +- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1) +- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2) +- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1) +- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2) +- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1) +- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2) +- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1) +- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2) +- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer) +- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1) +- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1) +- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2) +- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1) +- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2) +- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1) +- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1) +- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2) +- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1) +- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2) +- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1) +- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1) +- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2) - [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage) - [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager) +- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled) +- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1) +- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2) +- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3) +- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4) +- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3) +- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1) +- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2) +- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3) +- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4) +- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1) +- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2) +- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3) +- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4) +- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5) +- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6) +- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7) +- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8) +- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2) +- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3) +- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4) +- [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl) +- [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu) +- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) +- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) +- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) @@ -114,6 +282,73 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) - [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) +- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) +- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) +- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) +- [ADMX_Globalization/HideAdminOptions](./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions) +- [ADMX_Globalization/HideCurrentLocation](./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation) +- [ADMX_Globalization/HideLanguageSelection](./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection) +- [ADMX_Globalization/HideLocaleSelectAndCustomize](./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize) +- [ADMX_Globalization/ImplicitDataCollectionOff_1](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1) +- [ADMX_Globalization/ImplicitDataCollectionOff_2](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2) +- [ADMX_Globalization/LocaleSystemRestrict](./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict) +- [ADMX_Globalization/LocaleUserRestrict_1](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1) +- [ADMX_Globalization/LocaleUserRestrict_2](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2) +- [ADMX_Globalization/LockMachineUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage) +- [ADMX_Globalization/LockUserUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage) +- [ADMX_Globalization/PreventGeoIdChange_1](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1) +- [ADMX_Globalization/PreventGeoIdChange_2](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2) +- [ADMX_Globalization/PreventUserOverrides_1](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1) +- [ADMX_Globalization/PreventUserOverrides_2](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2) +- [ADMX_Globalization/RestrictUILangSelect](./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect) +- [ADMX_Globalization/TurnOffAutocorrectMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords) +- [ADMX_Globalization/TurnOffHighlightMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords) +- [ADMX_Globalization/TurnOffInsertSpace](./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace) +- [ADMX_Globalization/TurnOffOfferTextPredictions](./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions) +- [ADMX_Globalization/Y2K](./policy-csp-admx-globalization.md#admx-globalization-y2k) +- [ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup) +- [ADMX_GroupPolicy/CSE_AppMgmt](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt) +- [ADMX_GroupPolicy/CSE_DiskQuota](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota) +- [ADMX_GroupPolicy/CSE_EFSRecovery](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery) +- [ADMX_GroupPolicy/CSE_FolderRedirection](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection) +- [ADMX_GroupPolicy/CSE_IEM](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem) +- [ADMX_GroupPolicy/CSE_IPSecurity](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity) +- [ADMX_GroupPolicy/CSE_Registry](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry) +- [ADMX_GroupPolicy/CSE_Scripts](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts) +- [ADMX_GroupPolicy/CSE_Security](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security) +- [ADMX_GroupPolicy/CSE_Wired](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired) +- [ADMX_GroupPolicy/CSE_Wireless](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless) +- [ADMX_GroupPolicy/CorpConnSyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime) +- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1) +- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2) +- [ADMX_GroupPolicy/DisableAOACProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing) +- [ADMX_GroupPolicy/DisableAutoADMUpdate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate) +- [ADMX_GroupPolicy/DisableBackgroundPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy) +- [ADMX_GroupPolicy/DisableLGPOProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing) +- [ADMX_GroupPolicy/DisableUsersFromMachGP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp) +- [ADMX_GroupPolicy/EnableCDP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp) +- [ADMX_GroupPolicy/EnableLogonOptimization](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization) +- [ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku) +- [ADMX_GroupPolicy/EnableMMX](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx) +- [ADMX_GroupPolicy/EnforcePoliciesOnly](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly) +- [ADMX_GroupPolicy/FontMitigation](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation) +- [ADMX_GroupPolicy/GPDCOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions) +- [ADMX_GroupPolicy/GPTransferRate_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1) +- [ADMX_GroupPolicy/GPTransferRate_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2) +- [ADMX_GroupPolicy/GroupPolicyRefreshRate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate) +- [ADMX_GroupPolicy/GroupPolicyRefreshRateDC](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc) +- [ADMX_GroupPolicy/GroupPolicyRefreshRateUser](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser) +- [ADMX_GroupPolicy/LogonScriptDelay](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay) +- [ADMX_GroupPolicy/NewGPODisplayName](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname) +- [ADMX_GroupPolicy/NewGPOLinksDisabled](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled) +- [ADMX_GroupPolicy/OnlyUseLocalAdminFiles](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles) +- [ADMX_GroupPolicy/ProcessMitigationOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions) +- [ADMX_GroupPolicy/RSoPLogging](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging) +- [ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy) +- [ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess) +- [ADMX_GroupPolicy/SlowlinkDefaultToAsync](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync) +- [ADMX_GroupPolicy/SyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime) +- [ADMX_GroupPolicy/UserPolicyMode](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode) - [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep) - [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp) - [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp) @@ -122,18 +357,163 @@ ms.date: 10/08/2020 - [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback) - [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback) - [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance) +- [ADMX_ICM/CEIPEnable](./policy-csp-admx-icm.md#admx-icm-ceipenable) +- [ADMX_ICM/CertMgr_DisableAutoRootUpdates](./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates) +- [ADMX_ICM/DisableHTTPPrinting_1](./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1) +- [ADMX_ICM/DisableWebPnPDownload_1](./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1) +- [ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate](./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate) +- [ADMX_ICM/EventViewer_DisableLinks](./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks) +- [ADMX_ICM/HSS_HeadlinesPolicy](./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy) +- [ADMX_ICM/HSS_KBSearchPolicy](./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy) +- [ADMX_ICM/InternetManagement_RestrictCommunication_1](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1) +- [ADMX_ICM/InternetManagement_RestrictCommunication_2](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2) +- [ADMX_ICM/NC_ExitOnISP](./policy-csp-admx-icm.md#admx-icm-nc-exitonisp) +- [ADMX_ICM/NC_NoRegistration](./policy-csp-admx-icm.md#admx-icm-nc-noregistration) +- [ADMX_ICM/PCH_DoNotReport](./policy-csp-admx-icm.md#admx-icm-pch-donotreport) +- [ADMX_ICM/RemoveWindowsUpdate_ICM](./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm) +- [ADMX_ICM/SearchCompanion_DisableFileUpdates](./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates) +- [ADMX_ICM/ShellNoUseInternetOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1) +- [ADMX_ICM/ShellNoUseInternetOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2) +- [ADMX_ICM/ShellNoUseStoreOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1) +- [ADMX_ICM/ShellNoUseStoreOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2) +- [ADMX_ICM/ShellPreventWPWDownload_1](./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1) +- [ADMX_ICM/ShellRemoveOrderPrints_1](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1) +- [ADMX_ICM/ShellRemoveOrderPrints_2](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2) +- [ADMX_ICM/ShellRemovePublishToWeb_1](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1) +- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) +- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) +- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) - [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid) - [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold) - [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili) +- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid) +- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled) +- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm) +- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck) +- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver) +- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms) +- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound) +- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget) - [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder) - [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication) - [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion) - [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder) +- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) +- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) +- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) +- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) +- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) +- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) +- [ADMX_Logon/DisableExplorerRunLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2) +- [ADMX_Logon/DisableExplorerRunOnceLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1) +- [ADMX_Logon/DisableExplorerRunOnceLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2) +- [ADMX_Logon/DisableStatusMessages](./policy-csp-admx-logon.md#admx-logon-disablestatusmessages) +- [ADMX_Logon/DontEnumerateConnectedUsers](./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers) +- [ADMX_Logon/NoWelcomeTips_1](./policy-csp-admx-logon.md#admx-logon-nowelcometips-1) +- [ADMX_Logon/NoWelcomeTips_2](./policy-csp-admx-logon.md#admx-logon-nowelcometips-2) +- [ADMX_Logon/Run_1](./policy-csp-admx-logon.md#admx-logon-run-1) +- [ADMX_Logon/Run_2](./policy-csp-admx-logon.md#admx-logon-run-2) +- [ADMX_Logon/SyncForegroundPolicy](./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy) +- [ADMX_Logon/UseOEMBackground](./policy-csp-admx-logon.md#admx-logon-useoembackground) +- [ADMX_Logon/VerboseStatus](./policy-csp-admx-logon.md#admx-logon-verbosestatus) +- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup) +- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender) +- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions) +- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen) +- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge) +- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring) +- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction) +- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions) +- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths) +- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders) +- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation) +- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement) +- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid) +- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition) +- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass) +- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl) +- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver) +- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay) +- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay) +- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection) +- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday) +- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel) +- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority) +- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup) +- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay) +- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup) +- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting) +- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting) +- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown) - [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol) - [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview) - [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb) @@ -244,6 +624,35 @@ ms.date: 10/08/2020 - [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) - [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) - [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) +- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy) +- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy) +- [ADMX_MSDT/MsdtSupportProvider](./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider) +- [ADMX_MSDT/MsdtToolDownloadPolicy](./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy) +- [ADMX_MSDT/WdiScenarioExecutionPolicy](./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy) +- [ADMX_MSI/AllowLockdownBrowse](./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse) +- [ADMX_MSI/AllowLockdownMedia](./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia) +- [ADMX_MSI/AllowLockdownPatch](./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch) +- [ADMX_MSI/DisableAutomaticApplicationShutdown](./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown) +- [ADMX_MSI/DisableBrowse](./policy-csp-admx-msi.md#admx-msi-disablebrowse) +- [ADMX_MSI/DisableFlyweightPatching](./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching) +- [ADMX_MSI/DisableLoggingFromPackage](./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage) +- [ADMX_MSI/DisableMSI](./policy-csp-admx-msi.md#admx-msi-disablemsi) +- [ADMX_MSI/DisableMedia](./policy-csp-admx-msi.md#admx-msi-disablemedia) +- [ADMX_MSI/DisablePatch](./policy-csp-admx-msi.md#admx-msi-disablepatch) +- [ADMX_MSI/DisableRollback_1](./policy-csp-admx-msi.md#admx-msi-disablerollback-1) +- [ADMX_MSI/DisableRollback_2](./policy-csp-admx-msi.md#admx-msi-disablerollback-2) +- [ADMX_MSI/DisableSharedComponent](./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent) +- [ADMX_MSI/MSILogging](./policy-csp-admx-msi.md#admx-msi-msilogging) +- [ADMX_MSI/MSI_DisableLUAPatching](./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching) +- [ADMX_MSI/MSI_DisablePatchUninstall](./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall) +- [ADMX_MSI/MSI_DisableSRCheckPoints](./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints) +- [ADMX_MSI/MSI_DisableUserInstalls](./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls) +- [ADMX_MSI/MSI_EnforceUpgradeComponentRules](./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules) +- [ADMX_MSI/MSI_MaxPatchCacheSize](./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize) +- [ADMX_MSI/MsiDisableEmbeddedUI](./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui) +- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting) +- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder) +- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure) - [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) - [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) - [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes) @@ -380,14 +789,120 @@ ms.date: 10/08/2020 - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4) +- [ADMX_Power/ACConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2) +- [ADMX_Power/ACCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2) +- [ADMX_Power/ACStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2) +- [ADMX_Power/AllowSystemPowerRequestAC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac) +- [ADMX_Power/AllowSystemPowerRequestDC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc) +- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac) +- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc) +- [ADMX_Power/CustomActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2) +- [ADMX_Power/DCBatteryDischargeAction0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2) +- [ADMX_Power/DCBatteryDischargeAction1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2) +- [ADMX_Power/DCBatteryDischargeLevel0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2) +- [ADMX_Power/DCBatteryDischargeLevel1UINotification_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2) +- [ADMX_Power/DCBatteryDischargeLevel1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2) +- [ADMX_Power/DCConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2) +- [ADMX_Power/DCCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2) +- [ADMX_Power/DCStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2) +- [ADMX_Power/DiskACPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2) +- [ADMX_Power/DiskDCPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2) +- [ADMX_Power/Dont_PowerOff_AfterShutdown](./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown) +- [ADMX_Power/EnableDesktopSlideShowAC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac) +- [ADMX_Power/EnableDesktopSlideShowDC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc) +- [ADMX_Power/InboxActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2) +- [ADMX_Power/PW_PromptPasswordOnResume](./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume) +- [ADMX_Power/PowerThrottlingTurnOff](./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff) +- [ADMX_Power/ReserveBatteryNotificationLevel](./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel) - [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging) - [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) - [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) - [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) +- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) +- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) +- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) +- [ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate](./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate) +- [ADMX_Printing/DomainPrinters](./policy-csp-admx-printing.md#admx-printing-domainprinters) +- [ADMX_Printing/DownlevelBrowse](./policy-csp-admx-printing.md#admx-printing-downlevelbrowse) +- [ADMX_Printing/EMFDespooling](./policy-csp-admx-printing.md#admx-printing-emfdespooling) +- [ADMX_Printing/ForceSoftwareRasterization](./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization) +- [ADMX_Printing/IntranetPrintersUrl](./policy-csp-admx-printing.md#admx-printing-intranetprintersurl) +- [ADMX_Printing/KMPrintersAreBlocked](./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked) +- [ADMX_Printing/LegacyDefaultPrinterMode](./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode) +- [ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS](./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps) +- [ADMX_Printing/NoDeletePrinter](./policy-csp-admx-printing.md#admx-printing-nodeleteprinter) +- [ADMX_Printing/NonDomainPrinters](./policy-csp-admx-printing.md#admx-printing-nondomainprinters) +- [ADMX_Printing/PackagePointAndPrintOnly](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly) +- [ADMX_Printing/PackagePointAndPrintOnly_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7) +- [ADMX_Printing/PackagePointAndPrintServerList](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist) +- [ADMX_Printing/PackagePointAndPrintServerList_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7) +- [ADMX_Printing/PhysicalLocation](./policy-csp-admx-printing.md#admx-printing-physicallocation) +- [ADMX_Printing/PhysicalLocationSupport](./policy-csp-admx-printing.md#admx-printing-physicallocationsupport) +- [ADMX_Printing/PrintDriverIsolationExecutionPolicy](./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy +) +- [ADMX_Printing/PrintDriverIsolationOverrideCompat](./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat) +- [ADMX_Printing/PrinterDirectorySearchScope](./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope) +- [ADMX_Printing/PrinterServerThread](./policy-csp-admx-printing.md#admx-printing-printerserverthread) +- [ADMX_Printing/ShowJobTitleInEventLogs](./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs) +- [ADMX_Printing/V4DriverDisallowPrinterExtension](./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension) +- [ADMX_Printing2/AutoPublishing](./policy-csp-admx-printing2.md#admx-printing2-autopublishing) +- [ADMX_Printing2/ImmortalPrintQueue](./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue) +- [ADMX_Printing2/PruneDownlevel](./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel) +- [ADMX_Printing2/PruningInterval](./policy-csp-admx-printing2.md#admx-printing2-pruninginterval) +- [ADMX_Printing2/PruningPriority](./policy-csp-admx-printing2.md#admx-printing2-pruningpriority) +- [ADMX_Printing2/PruningRetries](./policy-csp-admx-printing2.md#admx-printing2-pruningretries) +- [ADMX_Printing2/PruningRetryLog](./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog) +- [ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint](./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint) +- [ADMX_Printing2/VerifyPublishedState](./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate) +- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms) +- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms) +- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates) +- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures) +- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) +- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) +- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) - [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason) +- [ADMX_RemoteAssistance/RA_EncryptedTicketOnly](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly) +- [ADMX_RemoteAssistance/RA_Optimize_Bandwidth](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth) +- [ADMX_RemovableStorage/AccessRights_RebootTime_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1) +- [ADMX_RemovableStorage/AccessRights_RebootTime_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2) +- [ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2) +- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1) +- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2) +- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1) +- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2) +- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1) +- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2) +- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1) +- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2) +- [ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2) +- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1) +- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2) +- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1) +- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2) +- [ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2) +- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1) +- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2) +- [ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1) +- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1) +- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2) +- [ADMX_RemovableStorage/Removable_Remote_Allow_Access](./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access) +- [ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2) +- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1) +- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2) +- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1) +- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2) +- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1) +- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2) +- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1) +- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2) +- [ADMX_RPC/RpcExtendedErrorInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation) +- [ADMX_RPC/RpcIgnoreDelegationFailure](./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure) +- [ADMX_RPC/RpcMinimumHttpConnectionTimeout](./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout) +- [ADMX_RPC/RpcStateInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation) - [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled) - [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy) - [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first) @@ -410,6 +925,15 @@ ms.date: 10/08/2020 - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) +- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) +- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) +- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync) +- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync) +- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync) +- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync) +- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync) +- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork) +- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync) - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) - [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing) @@ -417,6 +941,7 @@ ms.date: 10/08/2020 - [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit) - [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps) - [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) +- [ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn](./policy-csp-admx-skydrive.md#admx-skydrive-preventnetworktrafficpreusersignin) - [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku) - [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock) - [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys) @@ -503,6 +1028,7 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) +- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) @@ -677,6 +1203,14 @@ ms.date: 10/08/2020 - [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) - [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) - [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) +- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) +- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) +- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) +- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) +- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) +- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) +- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) +- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) - [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) @@ -783,6 +1317,8 @@ ms.date: 10/08/2020 - [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut) - [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown) - [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols) +- [ADMX_WindowsRemoteManagement/DisallowKerberos_1](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1) +- [ADMX_WindowsRemoteManagement/DisallowKerberos_2](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2) - [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8) - [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1) - [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2) @@ -791,9 +1327,21 @@ ms.date: 10/08/2020 - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) +- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell) +- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription) +- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription) +- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription) +- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription) +- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration) - [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) - [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) -- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) +- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) +- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours) +- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification) +- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours) +- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification) +- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute) +- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute) - [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) - [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) - [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) @@ -844,12 +1392,12 @@ ms.date: 10/08/2020 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) - [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) - [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) - [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 09c680512c..e633560ef3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -220,12 +220,12 @@ ms.date: 07/18/2019 - [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) - [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) - [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) - [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) - [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) - [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) @@ -731,7 +731,6 @@ ms.date: 07/18/2019 - [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) - [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) -- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) - [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) - [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) - [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 739826c640..bd4bcafd21 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -50,17 +50,17 @@ ms.date: 10/08/2020 - [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) - [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) -- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) -- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) -- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) -- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) -- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 +- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 +- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 +- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) 9 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) 9 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) @@ -83,20 +83,22 @@ ms.date: 10/08/2020 - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 - [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 +- [RemoteLock/Lock](https://docs.microsoft.com/windows/client-management/mdm/remotelock-csp) 9 - [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) +- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9 +- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9 - [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Settings/PageVisibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) +- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9 +- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9 +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9 +- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 - [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) - [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) - [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) @@ -122,6 +124,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) ## Related topics diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a1a8db3a83..5056143d53 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -168,6 +168,14 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_ActiveXInstallService policies + +
    +
    + ADMX_ActiveXInstallService/AxISURLZonePolicies +
    +
    + ### ADMX_AddRemovePrograms policies
    @@ -237,6 +245,51 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_AppxPackageManager policies + +
    +
    + ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
    +
    + +### ADMX_AppXRuntime policies + +
    +
    + ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
    +
    + +### ADMX_AttachmentManager policies + +
    +
    + ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
    +
    + ADMX_AttachmentManager/AM_SetFileRiskLevel +
    +
    + ADMX_AttachmentManager/AM_SetHighRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetLowRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetModRiskInclusion +
    +
    + ### ADMX_AuditSettings policies
    @@ -245,6 +298,7 @@ The following diagram shows the Policy configuration service provider in tree fo
    + ### ADMX_Bits policies
    @@ -314,6 +368,99 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_ControlPanel policies + +
    +
    + ADMX_ControlPanel/DisallowCpls +
    +
    + ADMX_ControlPanel/ForceClassicControlPanel +
    +
    + ADMX_ControlPanel/NoControlPanel +
    +
    + ADMX_ControlPanel/RestrictCpls +
    +
    + +### ADMX_ControlPanelDisplay policies + +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_Disable +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
    +
    ### ADMX_Cpls policies @@ -332,6 +479,66 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_CredentialProviders policies + +
    +
    + ADMX_CredentialProviders/AllowDomainDelayLock +
    +
    + ADMX_CredentialProviders/DefaultCredentialProvider +
    +
    + ADMX_CredentialProviders/ExcludedCredentialProviders +
    +
    + +### ADMX_CredSsp policies + +
    +
    + ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowDefaultCredentials +
    +
    + ADMX_CredSsp/AllowEncryptionOracle +
    +
    + ADMX_CredSsp/AllowFreshCredentials +
    +
    + ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowSavedCredentials +
    +
    + ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/DenyDefaultCredentials +
    +
    + ADMX_CredSsp/DenyFreshCredentials +
    +
    + ADMX_CredSsp/DenySavedCredentials +
    +
    + ADMX_CredSsp/RestrictedRemoteAdministration + +### ADMX_CredUI policies + +
    +
    + ADMX_CredUI/EnableSecureCredentialPrompting +
    +
    + ADMX_CredUI/NoLocalPasswordResetQuestions +
    +
    ### ADMX_CtrlAltDel policies
    @@ -340,6 +547,146 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_DataCollection policies + +
    +
    + ADMX_DataCollection/CommercialIdPolicy +
    +
    + +### ADMX_Desktop policies + +
    +
    + ADMX_Desktop/AD_EnableFilter +
    +
    + ADMX_Desktop/AD_HideDirectoryFolder +
    +
    + ADMX_Desktop/AD_QueryLimit +
    +
    + ADMX_Desktop/ForceActiveDesktopOn +
    +
    + ADMX_Desktop/NoActiveDesktop +
    +
    + ADMX_Desktop/NoActiveDesktopChanges +
    +
    + ADMX_Desktop/NoDesktop +
    +
    + ADMX_Desktop/NoDesktopCleanupWizard +
    +
    + ADMX_Desktop/NoInternetIcon +
    +
    + ADMX_Desktop/NoMyComputerIcon +
    +
    + ADMX_Desktop/NoMyDocumentsIcon +
    +
    + ADMX_Desktop/NoNetHood +
    +
    + ADMX_Desktop/NoPropertiesMyComputer +
    +
    + ADMX_Desktop/NoPropertiesMyDocuments +
    +
    + ADMX_Desktop/NoRecentDocsNetHood +
    +
    + ADMX_Desktop/NoRecycleBinIcon +
    +
    + ADMX_Desktop/NoRecycleBinProperties +
    +
    + ADMX_Desktop/NoSaveSettings +
    +
    + ADMX_Desktop/NoWindowMinimizingShortcuts +
    +
    + ADMX_Desktop/Wallpaper +
    +
    + ADMX_Desktop/sz_ATC_DisableAdd +
    +
    + ADMX_Desktop/sz_ATC_DisableClose +
    +
    + ADMX_Desktop/sz_ATC_DisableDel +
    +
    + ADMX_Desktop/sz_ATC_DisableEdit +
    +
    + ADMX_Desktop/sz_ATC_NoComponents +
    +
    + ADMX_Desktop/sz_AdminComponents_Title +
    +
    + ADMX_Desktop/sz_DB_DragDropClose +
    +
    + ADMX_Desktop/sz_DB_Moving +
    +
    + ADMX_Desktop/sz_DWP_NoHTMLPaper +
    +
    + +### ADMX_DeviceInstallation policies + +
    +
    + ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +
    +
    + ADMX_DeviceInstallation/DeviceInstall_SystemRestore +
    +
    + ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +
    +
    + +### ADMX_DeviceSetup policies + +
    +
    + ADMX_DeviceSetup/DeviceInstall_BalloonTips +
    +
    + ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +
    +
    + ### ADMX_DigitalLocker policies
    @@ -444,6 +791,47 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_EAIME policies + +
    +
    + ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList +
    +
    + ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion +
    +
    + ADMX_EAIME/L_TurnOffCustomDictionary +
    +
    + ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput +
    +
    + ADMX_EAIME/L_TurnOffInternetSearchIntegration +
    +
    + ADMX_EAIME/L_TurnOffOpenExtendedDictionary +
    +
    + ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidate +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidateCHS +
    +
    + ADMX_EAIME/L_TurnOnLexiconUpdate +
    +
    + ADMX_EAIME/L_TurnOnLiveStickers +
    +
    + ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport +
    +
    + ### ADMX_EncryptFilesonMove policies
    @@ -451,6 +839,121 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_EnhancedStorage policies + +
    +
    + ADMX_EnhancedStorage/ApprovedEnStorDevices +
    +
    + ADMX_EnhancedStorage/ApprovedSilos +
    +
    + ADMX_EnhancedStorage/DisablePasswordAuthentication +
    +
    + ADMX_EnhancedStorage/DisallowLegacyDiskDevices +
    +
    + ADMX_EnhancedStorage/LockDeviceOnMachineLock +
    +
    + ADMX_EnhancedStorage/RootHubConnectedEnStorDevices +
    +
    + +### ADMX_ErrorReporting policies + +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneDef +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneEx +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneInc +
    +
    + ADMX_ErrorReporting/PCH_ConfigureReport +
    +
    + ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults +
    +
    + ADMX_ErrorReporting/WerArchive_1 +
    +
    + ADMX_ErrorReporting/WerArchive_2 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_2 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_2 +
    +
    + ADMX_ErrorReporting/WerCER +
    +
    + ADMX_ErrorReporting/WerConsentCustomize_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_2 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_1 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_2 +
    +
    + ADMX_ErrorReporting/WerDisable_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_2 +
    +
    + ADMX_ErrorReporting/WerNoLogging_1 +
    +
    + ADMX_ErrorReporting/WerNoLogging_2 +
    +
    + ADMX_ErrorReporting/WerNoSecondLevelData_1 +
    +
    + ADMX_ErrorReporting/WerQueue_1 +
    +
    + ADMX_ErrorReporting/WerQueue_2 +
    +
    + ### ADMX_EventForwarding policies
    @@ -462,6 +965,94 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_EventLog policies + +
    +
    + ADMX_EventLog/Channel_LogEnabled +
    +
    + ADMX_EventLog/Channel_LogFilePath_1 +
    +
    + ADMX_EventLog/Channel_LogFilePath_2 +
    +
    + ADMX_EventLog/Channel_LogFilePath_3 +
    +
    + ADMX_EventLog/Channel_LogFilePath_4 +
    +
    + ADMX_EventLog/Channel_LogMaxSize_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_1 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_2 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_1 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_2 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_3 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_5 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_6 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_7 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_8 +
    +
    + ADMX_EventLog/Channel_Log_Retention_2 +
    +
    + ADMX_EventLog/Channel_Log_Retention_3 +
    +
    + ADMX_EventLog/Channel_Log_Retention_4 +
    +
    + +### ADMX_Explorer policies + +
    +
    + ADMX_Explorer/AdminInfoUrl +
    +
    + ADMX_Explorer/AlwaysShowClassicMenu +
    +
    + ADMX_Explorer/DisableRoamedProfileInit +
    +
    + ADMX_Explorer/PreventItemCreationInUsersFilesFolder +
    +
    + ADMX_Explorer/TurnOffSPIAnimations +
    +
    + ### ADMX_FileServerVSSProvider policies
    @@ -538,6 +1129,217 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Globalization policies + +
    +
    + ADMX_Globalization/BlockUserInputMethodsForSignIn +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_1 +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_2 +
    +
    + ADMX_Globalization/HideAdminOptions +
    +
    + ADMX_Globalization/HideCurrentLocation +
    +
    + ADMX_Globalization/HideLanguageSelection +
    +
    + ADMX_Globalization/HideLocaleSelectAndCustomize +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_1 +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_2 +
    +
    + ADMX_Globalization/LocaleSystemRestrict +
    +
    + ADMX_Globalization/LocaleUserRestrict_1 +
    +
    + ADMX_Globalization/LocaleUserRestrict_2 +
    +
    + ADMX_Globalization/LockMachineUILanguage +
    +
    + ADMX_Globalization/LockUserUILanguage +
    +
    + ADMX_Globalization/PreventGeoIdChange_1 +
    +
    + ADMX_Globalization/PreventGeoIdChange_2 +
    +
    + ADMX_Globalization/PreventUserOverrides_1 +
    +
    + ADMX_Globalization/PreventUserOverrides_2 +
    +
    + ADMX_Globalization/RestrictUILangSelect +
    +
    + ADMX_Globalization/TurnOffAutocorrectMisspelledWords +
    +
    + ADMX_Globalization/TurnOffHighlightMisspelledWords +
    +
    + ADMX_Globalization/TurnOffInsertSpace +
    +
    + ADMX_Globalization/TurnOffOfferTextPredictions +
    +
    + ADMX_Globalization/Y2K +
    +
    + +### ADMX_GroupPolicy policies + +
    +
    + ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP +
    +
    + ADMX_GroupPolicy/CSE_AppMgmt +
    +
    + ADMX_GroupPolicy/CSE_DiskQuota +
    +
    + ADMX_GroupPolicy/CSE_EFSRecovery +
    +
    + ADMX_GroupPolicy/CSE_FolderRedirection +
    +
    + ADMX_GroupPolicy/CSE_IEM +
    +
    + ADMX_GroupPolicy/CSE_IPSecurity +
    +
    + ADMX_GroupPolicy/CSE_Registry +
    +
    + ADMX_GroupPolicy/CSE_Scripts +
    +
    + ADMX_GroupPolicy/CSE_Security +
    +
    + ADMX_GroupPolicy/CSE_Wired +
    +
    + ADMX_GroupPolicy/CSE_Wireless +
    +
    + ADMX_GroupPolicy/CorpConnSyncWaitTime +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 +
    +
    + ADMX_GroupPolicy/DisableAOACProcessing +
    +
    + ADMX_GroupPolicy/DisableAutoADMUpdate +
    +
    + ADMX_GroupPolicy/DisableBackgroundPolicy +
    +
    + ADMX_GroupPolicy/DisableLGPOProcessing +
    +
    + ADMX_GroupPolicy/DisableUsersFromMachGP +
    +
    + ADMX_GroupPolicy/EnableCDP +
    +
    + ADMX_GroupPolicy/EnableLogonOptimization +
    +
    + ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU +
    +
    + ADMX_GroupPolicy/EnableMMX +
    +
    + ADMX_GroupPolicy/EnforcePoliciesOnly +
    +
    + ADMX_GroupPolicy/FontMitigation +
    +
    + ADMX_GroupPolicy/GPDCOptions +
    +
    + ADMX_GroupPolicy/GPTransferRate_1 +
    +
    + ADMX_GroupPolicy/GPTransferRate_2 +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRate +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateDC +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateUser +
    +
    + ADMX_GroupPolicy/LogonScriptDelay +
    +
    + ADMX_GroupPolicy/NewGPODisplayName +
    +
    + ADMX_GroupPolicy/NewGPOLinksDisabled +
    +
    + ADMX_GroupPolicy/OnlyUseLocalAdminFiles +
    +
    + ADMX_GroupPolicy/ProcessMitigationOptions +
    +
    + ADMX_GroupPolicy/RSoPLogging +
    +
    + ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy +
    +
    + ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess +
    +
    + ADMX_GroupPolicy/SlowlinkDefaultToAsync +
    +
    + ADMX_GroupPolicy/SyncWaitTime +
    +
    + ADMX_GroupPolicy/UserPolicyMode +
    +
    + ### ADMX_HelpAndSupport policies
    @@ -554,6 +1356,89 @@ The following diagram shows the Policy configuration service provider in tree fo
    +## ADMX_ICM policies + +
    +
    + ADMX_ICM/CEIPEnable +
    +
    + ADMX_ICM/CertMgr_DisableAutoRootUpdates +
    +
    + ADMX_ICM/DisableHTTPPrinting_1 +
    +
    + ADMX_ICM/DisableWebPnPDownload_1 +
    +
    + ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate +
    +
    + ADMX_ICM/EventViewer_DisableLinks +
    +
    + ADMX_ICM/HSS_HeadlinesPolicy +
    +
    + ADMX_ICM/HSS_KBSearchPolicy +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_1 +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_2 +
    +
    + ADMX_ICM/NC_ExitOnISP +
    +
    + ADMX_ICM/NC_NoRegistration +
    +
    + ADMX_ICM/PCH_DoNotReport +
    +
    + ADMX_ICM/RemoveWindowsUpdate_ICM +
    +
    + ADMX_ICM/SearchCompanion_DisableFileUpdates +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_2 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_2 +
    +
    + ADMX_ICM/ShellPreventWPWDownload_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_2 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_1 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_2 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_1 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_2 +
    +
    + ### ADMX_kdc policies
    @@ -576,6 +1461,35 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Kerberos policies + +
    +
    + ADMX_Kerberos/AlwaysSendCompoundId +
    +
    + ADMX_Kerberos/DevicePKInitEnabled +
    +
    + ADMX_Kerberos/HostToRealm +
    +
    + ADMX_Kerberos/KdcProxyDisableServerRevocationCheck +
    +
    + ADMX_Kerberos/KdcProxyServer +
    +
    + ADMX_Kerberos/MitRealms +
    +
    + ADMX_Kerberos/ServerAcceptsCompound +
    +
    + ADMX_Kerberos/StrictTarget +
    +
    + ### ADMX_LanmanServer policies
    @@ -592,6 +1506,20 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_LanmanWorkstation policies + +
    +
    + ADMX_LanmanWorkstation/Pol_CipherSuiteOrder +
    +
    + ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles +
    +
    + ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares +
    +
    + ### ADMX_LinkLayerTopologyDiscovery policies
    @@ -602,6 +1530,340 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Logon policies + +
    +
    + ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin +
    +
    + ADMX_Logon/DisableAcrylicBackgroundOnLogon +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_2 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_2 +
    +
    + ADMX_Logon/DisableStatusMessages +
    +
    + ADMX_Logon/DontEnumerateConnectedUsers +
    +
    + ADMX_Logon/NoWelcomeTips_1 +
    +
    + ADMX_Logon/NoWelcomeTips_2 +
    +
    + ADMX_Logon/Run_1 +
    +
    + ADMX_Logon/Run_2 +
    +
    + ADMX_Logon/SyncForegroundPolicy +
    +
    + ADMX_Logon/UseOEMBackground +
    +
    + ADMX_Logon/VerboseStatus +
    +
    + +### ADMX_MicrosoftDefenderAntivirus policies + +
    +
    + ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders +
    +
    + ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyBypass +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyServer +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/SpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown +
    +
    + ### ADMX_MMC policies
    @@ -945,6 +2207,108 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_msched policies + +
    +
    + ADMX_msched/ActivationBoundaryPolicy +
    +
    + ADMX_msched/RandomDelayPolicy +
    +
    + +### ADMX_MSDT policies + +
    +
    + ADMX_MSDT/MsdtSupportProvider +
    +
    + ADMX_MSDT/MsdtToolDownloadPolicy +
    +
    + ADMX_MSDT/WdiScenarioExecutionPolicy +
    +
    + +### ADMX_MSI policies + +
    +
    + ADMX_MSI/AllowLockdownBrowse +
    +
    + ADMX_MSI/AllowLockdownMedia +
    +
    + ADMX_MSI/AllowLockdownPatch +
    +
    + ADMX_MSI/DisableAutomaticApplicationShutdown +
    +
    + ADMX_MSI/DisableBrowse +
    +
    + ADMX_MSI/DisableFlyweightPatching +
    +
    + ADMX_MSI/DisableLoggingFromPackage +
    +
    + ADMX_MSI/DisableMSI +
    +
    + ADMX_MSI/DisableMedia +
    +
    + ADMX_MSI/DisablePatch +
    +
    + ADMX_MSI/DisableRollback_1 +
    +
    + ADMX_MSI/DisableRollback_2 +
    +
    + ADMX_MSI/DisableSharedComponent +
    +
    + ADMX_MSI/MSILogging +
    +
    + ADMX_MSI/MSI_DisableLUAPatching +
    +
    + ADMX_MSI/MSI_DisablePatchUninstall +
    +
    + ADMX_MSI/MSI_DisableSRCheckPoints +
    +
    + ADMX_MSI/MSI_DisableUserInstalls +
    +
    + ADMX_MSI/MSI_EnforceUpgradeComponentRules +
    +
    + ADMX_MSI/MSI_MaxPatchCacheSize +
    +
    + ADMX_MSI/MsiDisableEmbeddedUI +
    +
    + ADMX_MSI/SafeForScripting +
    +
    + ADMX_MSI/SearchOrder +
    +
    + ADMX_MSI/TransformsSecure +
    +
    + ### ADMX_nca policies
    @@ -1385,6 +2749,86 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Power policies + +
    +
    + ADMX_Power/ACConnectivityInStandby_2 +
    +
    + ADMX_Power/ACCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/ACStartMenuButtonAction_2 +
    +
    + ADMX_Power/AllowSystemPowerRequestAC +
    +
    + ADMX_Power/AllowSystemPowerRequestDC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC +
    +
    + ADMX_Power/CustomActiveSchemeOverride_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction0_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction1_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel0_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1UINotification_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1_2 +
    +
    + ADMX_Power/DCConnectivityInStandby_2 +
    +
    + ADMX_Power/DCCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/DCStartMenuButtonAction_2 +
    +
    + ADMX_Power/DiskACPowerDownTimeOut_2 +
    +
    + ADMX_Power/DiskDCPowerDownTimeOut_2 +
    +
    + ADMX_Power/Dont_PowerOff_AfterShutdown +
    +
    + ADMX_Power/EnableDesktopSlideShowAC +
    +
    + ADMX_Power/EnableDesktopSlideShowDC +
    +
    + ADMX_Power/InboxActiveSchemeOverride_2 +
    +
    + ADMX_Power/PW_PromptPasswordOnResume +
    +
    + ADMX_Power/PowerThrottlingTurnOff +
    +
    + ADMX_Power/ReserveBatteryNotificationLevel +
    +
    + ### ADMX_PowerShellExecutionPolicy policies
    @@ -1402,6 +2846,148 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Printing policies + +
    +
    + ADMX_Printing/AllowWebPrinting +
    +
    + ADMX_Printing/ApplicationDriverIsolation +
    +
    + ADMX_Printing/CustomizedSupportUrl +
    +
    + ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate +
    +
    + ADMX_Printing/DomainPrinters +
    +
    + ADMX_Printing/DownlevelBrowse +
    +
    + ADMX_Printing/EMFDespooling +
    +
    + ADMX_Printing/ForceSoftwareRasterization +
    +
    + ADMX_Printing/IntranetPrintersUrl +
    +
    + ADMX_Printing/KMPrintersAreBlocked +
    +
    + ADMX_Printing/LegacyDefaultPrinterMode +
    +
    + ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS +
    +
    + ADMX_Printing/NoDeletePrinter +
    +
    + ADMX_Printing/NonDomainPrinters +
    +
    + ADMX_Printing/PackagePointAndPrintOnly +
    +
    + ADMX_Printing/PackagePointAndPrintOnly_Win7 +
    +
    + ADMX_Printing/PackagePointAndPrintServerList +
    +
    + ADMX_Printing/PackagePointAndPrintServerList_Win7 +
    +
    + ADMX_Printing/PhysicalLocation +
    +
    + ADMX_Printing/PhysicalLocationSupport +
    +
    + ADMX_Printing/PrintDriverIsolationExecutionPolicy +
    +
    + ADMX_Printing/PrintDriverIsolationOverrideCompat +
    +
    + ADMX_Printing/PrinterDirectorySearchScope +
    +
    + ADMX_Printing/PrinterServerThread +
    +
    + ADMX_Printing/ShowJobTitleInEventLogs +
    +
    + ADMX_Printing/V4DriverDisallowPrinterExtension +
    +
    + +### ADMX_Printing2 policies + +
    +
    + ADMX_Printing2/AutoPublishing +
    +
    + ADMX_Printing2/ImmortalPrintQueue +
    +
    + ADMX_Printing2/PruneDownlevel +
    +
    + ADMX_Printing2/PruningInterval +
    +
    + ADMX_Printing2/PruningPriority +
    +
    + ADMX_Printing2/PruningRetries +
    +
    + ADMX_Printing2/PruningRetryLog +
    +
    + ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint +
    +
    + ADMX_Printing2/VerifyPublishedState +
    +
    + +### ADMX_Programs policies + +
    +
    + ADMX_Programs/NoDefaultPrograms +
    +
    + ADMX_Programs/NoGetPrograms +
    +
    + ADMX_Programs/NoInstalledUpdates +
    +
    + ADMX_Programs/NoProgramsAndFeatures +
    +
    + ADMX_Programs/NoProgramsCPL +
    +
    + ADMX_Programs/NoWindowsFeatures +
    +
    + ADMX_Programs/NoWindowsMarketplace +
    +
    + ### ADMX_Reliability policies
    @@ -1419,6 +3005,135 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_RemoteAssistance policies + +
    +
    + ADMX_RemoteAssistance/RA_EncryptedTicketOnly +
    +
    + ADMX_RemoteAssistance/RA_Optimize_Bandwidth +
    +
    + +### ADMX_RemovableStorage policies + +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_1 +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +
    +
    + ADMX_RemovableStorage/Removable_Remote_Allow_Access +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +
    +
    + +### ADMX_RPC policies + +
    +
    + ADMX_RPC/RpcExtendedErrorInformation +
    +
    + ADMX_RPC/RpcIgnoreDelegationFailure +
    +
    + ADMX_RPC/RpcMinimumHttpConnectionTimeout +
    +
    + ADMX_RPC/RpcStateInformation +
    +
    + ### ADMX_Scripts policies
    @@ -1510,6 +3225,38 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_SettingSync policies + +
    +
    + ADMX_SettingSync/DisableAppSyncSettingSync +
    +
    + ADMX_SettingSync/DisableApplicationSettingSync +
    +
    + ADMX_SettingSync/DisableCredentialsSettingSync +
    +
    + ADMX_SettingSync/DisableDesktopThemeSettingSync +
    +
    + ADMX_SettingSync/DisablePersonalizationSettingSync +
    +
    + ADMX_SettingSync/DisableSettingSync +
    +
    + ADMX_SettingSync/DisableStartLayoutSettingSync +
    +
    + ADMX_SettingSync/DisableSyncOnPaidNetwork +
    +
    + ADMX_SettingSync/DisableWindowsSettingSync +
    +
    + ### ADMX_SharedFolders policies
    @@ -1546,6 +3293,14 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_SkyDrive policies + +
    +
    + ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn +
    +
    + ### ADMX_Smartcard policies
    @@ -1819,6 +3574,14 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_SystemRestore policies + +
    +
    + ADMX_SystemRestore/SR_DisableConfig +
    +
    + ### ADMX_Taskbar policies
    @@ -2366,6 +4129,35 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_UserProfiles policies + +
    +
    + ADMX_UserProfiles/CleanupProfiles +
    +
    + ADMX_UserProfiles/DontForceUnloadHive +
    +
    + ADMX_UserProfiles/LeaveAppMgmtData +
    +
    + ADMX_UserProfiles/LimitSize +
    +
    + ADMX_UserProfiles/ProfileErrorAction +
    +
    + ADMX_UserProfiles/SlowLinkTimeOut +
    +
    + ADMX_UserProfiles/USER_HOME +
    +
    + ADMX_UserProfiles/UserInfoAccessAction +
    +
    + ### ADMX_W32Time policies
    @@ -2725,6 +4517,17 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_WindowsRemoteManagement policies + +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_1 +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_2 +
    +
    + ### ADMX_WindowsStore policies
    @@ -2759,6 +4562,29 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_WinLogon policies + +
    +
    + ADMX_WinLogon/CustomShell +
    +
    + ADMX_WinLogon/DisplayLastLogonInfoDescription +
    +
    + ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
    +
    + ADMX_WinLogon/LogonHoursPolicyDescription +
    +
    + ADMX_WinLogon/ReportCachedLogonPolicyDescription +
    +
    + ADMX_WinLogon/SoftwareSASGeneration +
    +
    + ### ADMX_wlansvc policies
    @@ -2773,6 +4599,29 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_WPN policies + +
    +
    + ADMX_WPN/NoCallsDuringQuietHours +
    +
    + ADMX_WPN/NoLockScreenToastNotification +
    +
    + ADMX_WPN/NoQuietHours +
    +
    + ADMX_WPN/NoToastNotification +
    +
    + ADMX_WPN/QuietHoursDailyBeginMinute +
    +
    + ADMX_WPN/QuietHoursDailyEndMinute +
    +
    + ### ApplicationDefaults policies
    @@ -3806,28 +5655,28 @@ The following diagram shows the Policy configuration service provider in tree fo
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/PreventDeviceMetadataFromNetwork + DeviceInstallation/PreventDeviceMetadataFromNetwork
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    @@ -5722,9 +7571,6 @@ The following diagram shows the Policy configuration service provider in tree fo
    Search/AllowCloudSearch
    -
    - Search/AllowCortanaInAAD -
    Search/AllowFindMyFiles
    diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md new file mode 100644 index 0000000000..2b4c414ae7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -0,0 +1,120 @@ +--- +title: Policy CSP - ADMX_ActiveXInstallService +description: Policy CSP - ADMX_ActiveXInstallService +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ActiveXInstallService +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ActiveXInstallService policies + +
    +
    + ADMX_ActiveXInstallService/AxISURLZonePolicies +
    +
    + + +
    + + +**ADMX_ActiveXInstallService/AxISURLZonePolicies** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. + +If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. + +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. + +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Establish ActiveX installation policy for sites in Trusted zones* +- GP name: *AxISURLZonePolicies* +- GP path: *Windows Components\ActiveX Installer Service* +- GP ADMX file name: *ActiveXInstallService.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 36128621e3..0c6e0067ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -106,7 +106,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. @@ -189,7 +189,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. @@ -270,7 +270,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. @@ -351,7 +351,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. @@ -433,7 +433,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. @@ -511,7 +511,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. @@ -589,7 +589,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. @@ -668,7 +668,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. @@ -746,7 +746,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. @@ -827,7 +827,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. @@ -908,7 +908,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. @@ -941,14 +941,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index ef0f985661..b626e67721 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -108,7 +108,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. @@ -185,7 +185,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. @@ -256,7 +256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system. +Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. @@ -331,7 +331,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system. +Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. @@ -407,7 +407,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. @@ -485,7 +485,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. @@ -552,7 +552,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. @@ -626,7 +626,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. @@ -699,7 +699,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. @@ -731,14 +731,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md new file mode 100644 index 0000000000..086c0dafc1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - ADMX_AppxPackageManager +description: Policy CSP - ADMX_AppxPackageManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppxPackageManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_AppxPackageManager policies + +
    +
    + ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
    +
    + + +
    + + +**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. + +Special profiles are the following user profiles, where changes are discarded after the user signs off: + +- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies +- Mandatory user profiles and super-mandatory profiles, which are created by an administrator +- Temporary user profiles, which are created when an error prevents the correct profile from loading +- User profiles for the Guest account and members of the Guests group + +If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. + +If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow deployment operations in special profiles* +- GP name: *AllowDeploymentInSpecialProfiles* +- GP path: *Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md new file mode 100644 index 0000000000..6d76bd5f74 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -0,0 +1,339 @@ +--- +title: Policy CSP - ADMX_AppXRuntime +description: Policy CSP - ADMX_AppXRuntime +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppXRuntime +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_AppXRuntime policies + +
    +
    + ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
    +
    + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. + +If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. + +If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on dynamic Content URI Rules for Windows store apps* +- GP name: *AppxRuntimeApplicationContentUriRules* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. + +If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a file.* +- GP name: *AppxRuntimeBlockFileElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. + +If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. + +If you disable or do not configure this policy setting, all Universal Windows apps can be launched. + +> [!WARNING] +> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.* +- GP name: *AppxRuntimeBlockHostedAppAccessWinRT* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. + +> [!NOTE] +> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a URI scheme* +- GP name: *AppxRuntimeBlockProtocolElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md new file mode 100644 index 0000000000..895402efef --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -0,0 +1,423 @@ +--- +title: Policy CSP - ADMX_AttachmentManager +description: Policy CSP - ADMX_AttachmentManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AttachmentManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_AttachmentManager policies + +
    +
    + ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
    +
    + ADMX_AttachmentManager/AM_SetFileRiskLevel +
    +
    + ADMX_AttachmentManager/AM_SetHighRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetLowRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetModRiskInclusion +
    +
    + + +
    + + +**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. + +Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. + +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. + +If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. + +If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + +If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Trust logic for file attachments* +- GP name: *AM_EstimateFileHandlerRisk* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetFileRiskLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. + +High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. + +Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. + +Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. + +If you enable this policy setting, you can specify the default risk level for file types. + +If you disable this policy setting, Windows sets the default risk level to moderate. + +If you do not configure this policy setting, Windows sets the default risk level to moderate. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default risk level for file attachments* +- GP name: *AM_SetFileRiskLevel* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetHighRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can create a custom list of high-risk file types. + +If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. + +If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for high risk file types* +- GP name: *AM_SetHighRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetLowRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types that pose a low risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for low file types* +- GP name: *AM_SetLowRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetModRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types which pose a moderate risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for moderate risk file types* +- GP name: *AM_SetModRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 1aa77b30da..2564a91801 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. @@ -106,14 +106,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index b5f4b7b748..35597b677e 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1088,14 +1088,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 649079a937..e8a57b01bf 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -78,7 +78,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. @@ -151,7 +151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. @@ -190,14 +190,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 1da39a32a3..aaaa28a510 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -78,7 +78,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -153,7 +153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -184,14 +184,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md new file mode 100644 index 0000000000..4a340834f9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -0,0 +1,363 @@ +--- +title: Policy CSP - ADMX_ControlPanel +description: Policy CSP - ADMX_ControlPanel +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanel +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ControlPanel policies + +
    +
    + ADMX_ControlPanel/DisallowCpls +
    +
    + ADMX_ControlPanel/ForceClassicControlPanel +
    +
    + ADMX_ControlPanel/NoControlPanel +
    +
    + ADMX_ControlPanel/RestrictCpls +
    +
    + + +
    + + +**ADMX_ControlPanel/DisallowCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. + +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide specified Control Panel items* +- GP name: *DisallowCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + + +**ADMX_ControlPanel/ForceClassicControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. + +If this policy setting is enabled, the Control Panel opens to the icon view. + +If this policy setting is disabled, the Control Panel opens to the category view. + +If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. + +> [!NOTE] +> Icon size is dependent upon what the user has set it to in the previous session. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always open All Control Panel Items when opening Control Panel* +- GP name: *ForceClassicControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + + +**ADMX_ControlPanel/NoControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. + +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. + +This setting removes Control Panel from: + +- The Start screen +- File Explorer + +This setting removes PC settings from: + +- The Start screen +- Settings charm +- Account picture +- Search results + +If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to Control Panel and PC settings* +- GP name: *NoControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + + +**ADMX_ControlPanel/RestrictCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show only specified Control Panel items* +- GP name: *RestrictCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md new file mode 100644 index 0000000000..a03950bfdc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -0,0 +1,1826 @@ +--- +title: Policy CSP - ADMX_ControlPanelDisplay +description: Policy CSP - ADMX_ControlPanelDisplay +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanelDisplay +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ControlPanelDisplay policies + +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_Disable +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
    +
    + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Display_Disable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. + +If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. + +Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable the Display Control Panel* +- GP name: *CPL_Display_Disable* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Display_HideSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Settings tab* +- GP name: *CPL_Display_HideSettings* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. + +If you enable this setting, a user cannot change the color scheme of the current desktop theme. + +If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. + +For Windows 7 and later, use the "Prevent changing color and appearance" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color scheme* +- GP name: *CPL_Personalization_DisableColorSchemeChoice* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. + +If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). + +If you disable or do not configure this setting, there is no effect. + +> [!NOTE] +> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing theme* +- GP name: *CPL_Personalization_DisableThemeChange* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. + +When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. + +When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing visual style for windows and buttons* +- GP name: *CPL_Personalization_DisableVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. + +If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. + +If you do not configure it, this setting has no effect on the system. + +If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. + +Also, see the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable screen saver* +- GP name: *CPL_Personalization_EnableScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. + +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). + +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. + +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. + +Note: This setting only applies to Enterprise, Education, and Server SKUs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific default lock screen and logon image* +- GP name: *CPL_Personalization_ForceDefaultLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. + +If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. + +If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit selection of visual style font size* +- GP name: *CPL_Personalization_LockFontSize* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. + +By default, users can change the background image shown when the machine is locked or displaying the logon screen. + +If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing lock screen and logon image* +- GP name: *CPL_Personalization_NoChangingLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. + +By default, users can change the look of their start menu background, such as its color or accent. + +If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. + +If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. + +If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing start menu background* +- GP name: *CPL_Personalization_NoChangingStartMenuBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. + +This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. + +If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. + +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color and appearance* +- GP name: *CPL_Personalization_NoColorAppearanceUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. + +By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. + +If you enable this setting, none of the Desktop Background settings can be changed by the user. + +To specify wallpaper for a group, use the "Desktop Wallpaper" setting. + +Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. + +Also, see the "Allow only bitmapped wallpaper" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop background* +- GP name: *CPL_Personalization_NoDesktopBackgroundUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. + +By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. + +If you enable this setting, none of the desktop icons can be changed by the user. + +For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop icons* +- GP name: *CPL_Personalization_NoDesktopIconsUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. + +If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + +If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the lock screen* +- GP name: *CPL_Personalization_NoLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers. + +By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. + +If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing mouse pointers* +- GP name: *CPL_Personalization_NoMousePointersUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing screen saver* +- GP name: *CPL_Personalization_NoScreenSaverUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. + +By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. + +If you enable this setting, none of the Sound Scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing sounds* +- GP name: *CPL_Personalization_NoSoundSchemeUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +By default, users can change the background and accent colors. + +If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific background and accent color* +- GP name: *CPL_Personalization_PersonalColors* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. + +If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. + +This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. + +If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. + +To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. + +> [!NOTE] +> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Password protect the screen saver* +- GP name: *CPL_Personalization_ScreenSaverIsSecure* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. + +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. + +This setting has no effect under any of the following circumstances: + +- The setting is disabled or not configured. + +- The wait time is set to zero. + +- The "Enable Screen Saver" setting is disabled. + +- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. + +When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Screen saver timeout* +- GP name: *CPL_Personalization_ScreenSaverTimeOut* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. + +If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. + +If you disable this setting or do not configure it, users can select any screen saver. + +If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. + +If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. + +> [!NOTE] +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force specific screen saver* +- GP name: *CPL_Personalization_SetScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. + +If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. + +If you disable or do not configure this setting, the default theme will be applied at the first logon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Load a specific theme* +- GP name: *CPL_Personalization_SetTheme* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. + +This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). + +If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. + +If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). + +> [!NOTE] +> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. +> +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. +> +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific visual style file or force Windows Classic* +- GP name: *CPL_Personalization_SetVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + +If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific Start background* +- GP name: *CPL_Personalization_StartBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 21bf8792f1..d198e617ff 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] > The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. @@ -104,14 +104,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md new file mode 100644 index 0000000000..dcaa5fa29f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -0,0 +1,270 @@ +--- +title: Policy CSP - ADMX_CredentialProviders +description: Policy CSP - ADMX_CredentialProviders +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredentialProviders +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_CredentialProviders policies + +
    +
    + ADMX_CredentialProviders/AllowDomainDelayLock +
    +
    + ADMX_CredentialProviders/DefaultCredentialProvider +
    +
    + ADMX_CredentialProviders/ExcludedCredentialProviders +
    +
    + + +
    + + +**ADMX_CredentialProviders/AllowDomainDelayLock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. + +If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + +If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to select when a password is required when resuming from connected standby* +- GP name: *AllowDomainDelayLock* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
    + + +**ADMX_CredentialProviders/DefaultCredentialProvider** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. + +If you enable this policy setting, the specified credential provider is selected on other user tile. + +If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. + +> [!NOTE] +> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Assign a default credential provider* +- GP name: *DefaultCredentialProvider* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
    + + + +**ADMX_CredentialProviders/ExcludedCredentialProviders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + +> [!NOTE] +> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). + +If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. + +If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude credential providers* +- GP name: *ExcludedCredentialProviders* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md new file mode 100644 index 0000000000..7cf1e14d14 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -0,0 +1,970 @@ +--- +title: Policy CSP - ADMX_CredSsp +description: Policy CSP - ADMX_CredSsp +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredSsp +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_CredSsp policies + +
    +
    + ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowDefaultCredentials +
    +
    + ADMX_CredSsp/AllowEncryptionOracle +
    +
    + ADMX_CredSsp/AllowFreshCredentials +
    +
    + ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowSavedCredentials +
    +
    + ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/DenyDefaultCredentials +
    +
    + ADMX_CredSsp/DenyFreshCredentials +
    +
    + ADMX_CredSsp/DenySavedCredentials +
    +
    + ADMX_CredSsp/RestrictedRemoteAdministration +
    +
    + + +
    + + +**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating default credentials with NTLM-only server authentication* +- GP name: *AllowDefCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowDefaultCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +The policy becomes effective the next time the user signs on to a computer running Windows. + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. + +FWlink for KB: +https://go.microsoft.com/fwlink/?LinkId=301508 + +> [!NOTE] +> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating default credentials* +- GP name: *AllowDefaultCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowEncryptionOracle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). + +Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. + +If you enable this policy setting, CredSSP version support will be selected based on the following options: + +- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. + + > [!NOTE] + > This setting should not be deployed until all remote hosts support the newest version. + +- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. + +- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. + +For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Encryption Oracle Remediation* +- GP name: *AllowEncryptionOracle* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowFreshCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating fresh credentials* +- GP name: *AllowFreshCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating fresh credentials with NTLM-only server authentication* +- GP name: *AllowFreshCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowSavedCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating saved credentials* +- GP name: *AllowSavedCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. + +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating saved credentials with NTLM-only server authentication* +- GP name: *AllowSavedCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/DenyDefaultCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating default credentials* +- GP name: *DenyDefaultCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/DenyFreshCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating fresh credentials* +- GP name: *DenyFreshCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/DenySavedCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating saved credentials* +- GP name: *DenySavedCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/RestrictedRemoteAdministration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. + +Participating apps: +Remote Desktop Client + +If you enable this policy setting, the following options are supported: + +- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. +- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. +- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. + +If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. + +> [!NOTE] +> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). +> +> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict delegation of credentials to remote servers* +- GP name: *RestrictedRemoteAdministration* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md new file mode 100644 index 0000000000..cf430cc22f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - ADMX_CredUI +description: Policy CSP - ADMX_CredUI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredUI +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_CredUI policies + +
    +
    + ADMX_CredUI/EnableSecureCredentialPrompting +
    +
    + ADMX_CredUI/NoLocalPasswordResetQuestions +
    +
    + + +
    + + +**ADMX_CredUI/EnableSecureCredentialPrompting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. + +> [!NOTE] +> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. + +If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. + +If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require trusted path for credential entry* +- GP name: *EnableSecureCredentialPrompting* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
    + + +**ADMX_CredUI/NoLocalPasswordResetQuestions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent the use of security questions for local accounts* +- GP name: *NoLocalPasswordResetQuestions* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 9ecc74d2e9..7ec6bdd7bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from changing their Windows password on demand. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. @@ -153,7 +153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from locking the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. @@ -226,7 +226,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from starting Task Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -297,7 +297,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting disables or removes all menu items and buttons that log the user off the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. @@ -326,14 +326,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md new file mode 100644 index 0000000000..b550db06f6 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ADMX_DataCollection +description: Policy CSP - ADMX_DataCollection +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DataCollection +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_DataCollection policies + +
    +
    + ADMX_DataCollection/CommercialIdPolicy +
    +
    + + +
    + + +**ADMX_DataCollection/CommercialIdPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. + +If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the Commercial ID* +- GP name: *CommercialIdPolicy* +- GP path: *Windows Components\Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md new file mode 100644 index 0000000000..8c3fd1a932 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -0,0 +1,2183 @@ +--- +title: Policy CSP - ADMX_Desktop +description: Policy CSP - ADMX_Desktop +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/02/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Desktop +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Desktop policies + +
    +
    + ADMX_Desktop/AD_EnableFilter +
    +
    + ADMX_Desktop/AD_HideDirectoryFolder +
    +
    + ADMX_Desktop/AD_QueryLimit +
    +
    + ADMX_Desktop/ForceActiveDesktopOn +
    +
    + ADMX_Desktop/NoActiveDesktop +
    +
    + ADMX_Desktop/NoActiveDesktopChanges +
    +
    + ADMX_Desktop/NoDesktop +
    +
    + ADMX_Desktop/NoDesktopCleanupWizard +
    +
    + ADMX_Desktop/NoInternetIcon +
    +
    + ADMX_Desktop/NoMyComputerIcon +
    +
    + ADMX_Desktop/NoMyDocumentsIcon +
    +
    + ADMX_Desktop/NoNetHood +
    +
    + ADMX_Desktop/NoPropertiesMyComputer +
    +
    + ADMX_Desktop/NoPropertiesMyDocuments +
    +
    + ADMX_Desktop/NoRecentDocsNetHood +
    +
    + ADMX_Desktop/NoRecycleBinIcon +
    +
    + ADMX_Desktop/NoRecycleBinProperties +
    +
    + ADMX_Desktop/NoSaveSettings +
    +
    + ADMX_Desktop/NoWindowMinimizingShortcuts +
    +
    + ADMX_Desktop/Wallpaper +
    +
    + ADMX_Desktop/sz_ATC_DisableAdd +
    +
    + ADMX_Desktop/sz_ATC_DisableClose +
    +
    + ADMX_Desktop/sz_ATC_DisableDel +
    +
    + ADMX_Desktop/sz_ATC_DisableEdit +
    +
    + ADMX_Desktop/sz_ATC_NoComponents +
    +
    + ADMX_Desktop/sz_AdminComponents_Title +
    +
    + ADMX_Desktop/sz_DB_DragDropClose +
    +
    + ADMX_Desktop/sz_DB_Moving +
    +
    + ADMX_Desktop/sz_DWP_NoHTMLPaper +
    +
    + + +
    + + +**ADMX_Desktop/AD_EnableFilter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. + +If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. + +If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. + +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable filter in Find dialog box* +- GP name: *AD_EnableFilter* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/AD_HideDirectoryFolder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. + +The Active Directory folder displays Active Directory objects in a browse window. + +If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. + +If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. + +This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Active Directory folder* +- GP name: *AD_HideDirectoryFolder* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/AD_QueryLimit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. + +If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. + +If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. + +This setting is designed to protect the network and the domain controller from the effect of expansive searches. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum size of Active Directory searches* +- GP name: *AD_QueryLimit* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/ForceActiveDesktopOn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. + +This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. + +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. + +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Active Desktop* +- GP name: *ForceActiveDesktopOn* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoActiveDesktop** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. + +This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. + +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. + +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Active Desktop* +- GP name: *NoActiveDesktop* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoActiveDesktopChanges** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. + +This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit changes* +- GP name: *NoActiveDesktopChanges* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoDesktop** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. + +Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. + +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide and disable all items on the desktop* +- GP name: *NoDesktop* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoDesktopCleanupWizard** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. + +If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. + +If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. + +> [!NOTE] +> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Desktop Cleanup Wizard* +- GP name: *NoDesktopCleanupWizard* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoInternetIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. + +This setting does not prevent the user from starting Internet Explorer by using other methods. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Internet Explorer icon on desktop* +- GP name: *NoInternetIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoMyComputerIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. + +If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. + +If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. + +If you do not configure this setting, the default is to display Computer as usual. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Computer icon on the desktop* +- GP name: *NoMyComputerIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoMyDocumentsIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. + +This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. + +This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. + +This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. + +> [!NOTE] +> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove My Documents icon on the desktop* +- GP name: *NoMyDocumentsIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoNetHood** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. + +This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Network Locations icon on desktop* +- GP name: *NoNetHood* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoPropertiesMyComputer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. + +If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. + +If you disable or do not configure this setting, the Properties option is displayed as usual. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Computer icon context menu* +- GP name: *NoPropertiesMyComputer* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoPropertiesMyDocuments** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. + +If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: + +- Right-clicks the My Documents icon. +- Clicks the My Documents icon, and then opens the File menu. +- Clicks the My Documents icon, and then presses ALT+ENTER. + +If you disable or do not configure this policy setting, the Properties menu command is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Documents icon context menu* +- GP name: *NoPropertiesMyDocuments* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoRecentDocsNetHood** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. + +If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. + +If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not add shares of recently opened documents to Network Locations* +- GP name: *NoRecentDocsNetHood* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoRecycleBinIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. + +This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. + +This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. + +> [!NOTE] +> To make changes to this setting effective, you must log off and then log back on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recycle Bin icon from desktop* +- GP name: *NoRecycleBinIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoRecycleBinProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. + +If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. + +If you disable or do not configure this setting, the Properties option is displayed as usual. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Recycle Bin context menu* +- GP name: *NoRecycleBinProperties* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoSaveSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. + +If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Don't save settings at exit* +- GP name: *NoSaveSettings* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoWindowMinimizingShortcuts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. + +If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. + +If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Aero Shake window minimizing mouse gesture* +- GP name: *NoWindowMinimizingShortcuts* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/Wallpaper** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. + +This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. + +To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. + +If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. + +Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. + +> [!NOTE] +> This setting does not apply to remote desktop server sessions. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Desktop Wallpaper* +- GP name: *Wallpaper* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableAdd** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. + +This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. + +Also, see the "Disable all items" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adding items* +- GP name: *sz_ATC_DisableAdd* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableClose** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. + +In Active Desktop, you can add items to the desktop but close them so they are not displayed. + +If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. + +> [!NOTE] +> This setting does not prevent users from deleting items from their Active Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit closing items* +- GP name: *sz_ATC_DisableClose* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableDel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. + +This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. + +This setting does not prevent users from adding Web content to their Active Desktop. + +Also, see the "Prohibit closing items" and "Disable all items" settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit deleting items* +- GP name: *sz_ATC_DisableDel* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableEdit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. + +This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit editing items* +- GP name: *sz_ATC_DisableEdit* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_NoComponents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. + +This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. + +> [!NOTE] +> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable all items* +- GP name: *sz_ATC_NoComponents* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_AdminComponents_Title** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. + +You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. + +You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. + +> [!NOTE] +> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. + +> [!NOTE] +> For this setting to take affect, you must log off and log on to the system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add/Delete items* +- GP name: *sz_AdminComponents_Title* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_DB_DragDropClose** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. + +If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. + +> [!NOTE] +> If users have added or removed toolbars, this setting prevents them from restoring the default configuration. + +> [!TIP] +> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." + +Also, see the "Prohibit adjusting desktop toolbars" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent adding, dragging, dropping and closing the Taskbar's toolbars* +- GP name: *sz_DB_DragDropClose* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_DB_Moving** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. + +This setting does not prevent users from adding or removing toolbars on the desktop. + +> [!NOTE] +> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. + +Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adjusting desktop toolbars* +- GP name: *sz_DB_Moving* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_DWP_NoHTMLPaper** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". + +Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only bitmapped wallpaper* +- GP name: *sz_DWP_NoHTMLPaper* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md new file mode 100644 index 0000000000..69e459d10c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -0,0 +1,619 @@ +--- +title: Policy CSP - ADMX_DeviceInstallation +description: Policy CSP - ADMX_DeviceInstallation +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceInstallation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_DeviceInstallation policies + +
    +
    + ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +
    +
    + ADMX_DeviceInstallation/DeviceInstall_SystemRestore +
    +
    + ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +
    +
    + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. + +If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow administrators to override Device Installation Restriction policies* +- GP name: *DeviceInstall_AllowAdminInstall* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message when installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_DetailText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message title when device installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_SimpleText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. + +If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. + +If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure device installation time-out* +- GP name: *DeviceInstall_InstallTimeout* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. + +If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. + +If you disable or do not configure this policy setting, the system does not force a reboot. + +Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Time (in seconds) to force reboot when required for policy changes to take effect* +- GP name: *DeviceInstall_Policy_RebootTime* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of removable devices* +- GP name: *DeviceInstall_Removable_Deny* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_SystemRestore** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. + +If you enable this policy setting, Windows does not create a system restore point when one would normally be created. + +If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point* +- GP name: *DeviceInstall_SystemRestore* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. + +If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. + +If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow non-administrators to install drivers for these device setup classes* +- GP name: *DriverInstall_Classes_AllowUser* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md new file mode 100644 index 0000000000..5da6627e8f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -0,0 +1,188 @@ +--- +title: Policy CSP - ADMX_DeviceSetup +description: Policy CSP - ADMX_DeviceSetup +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceSetup +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_DeviceSetup policies + +
    +
    + ADMX_DeviceSetup/DeviceInstall_BalloonTips +
    +
    + ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +
    +
    + + +
    + + +**ADMX_DeviceSetup/DeviceInstall_BalloonTips** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. + +If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. + +If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off "Found New Hardware" balloons during device installation* +- GP name: *DeviceInstall_BalloonTips* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
    + + +**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. + +If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. + +Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. + +If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify search order for device driver source locations* +- GP name: *DriverSearchPlaces_SearchOrderConfiguration* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 43d6152747..08a7dab278 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -148,7 +148,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -177,14 +177,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 79b48babf1..9aba6d0482 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -137,7 +137,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. @@ -205,7 +205,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -282,7 +282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. @@ -351,7 +351,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -438,7 +438,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. @@ -507,7 +507,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. @@ -576,7 +576,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. @@ -647,7 +647,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. @@ -720,7 +720,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. @@ -795,7 +795,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. @@ -869,7 +869,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. @@ -945,7 +945,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. @@ -1014,7 +1014,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. @@ -1087,7 +1087,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. @@ -1163,7 +1163,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). @@ -1234,7 +1234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." @@ -1310,7 +1310,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. @@ -1379,7 +1379,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. @@ -1451,7 +1451,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and then select one of the following values: @@ -1526,7 +1526,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. @@ -1597,7 +1597,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -1684,7 +1684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. @@ -1712,14 +1712,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index ff5b9de5cc..71f9b3638f 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -89,7 +89,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -162,7 +162,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -234,7 +234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -305,7 +305,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -376,7 +376,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -448,7 +448,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -478,14 +478,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md new file mode 100644 index 0000000000..b56ce8c52a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -0,0 +1,972 @@ +--- +title: Policy CSP - ADMX_EAIME +description: Policy CSP - ADMX_EAIME +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EAIME +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_EAIME policies + +
    +
    + ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList +
    +
    + ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion +
    +
    + ADMX_EAIME/L_TurnOffCustomDictionary +
    +
    + ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput +
    +
    + ADMX_EAIME/L_TurnOffInternetSearchIntegration +
    +
    + ADMX_EAIME/L_TurnOffOpenExtendedDictionary +
    +
    + ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidate +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidateCHS +
    +
    + ADMX_EAIME/L_TurnOnLexiconUpdate +
    +
    + ADMX_EAIME/L_TurnOnLiveStickers +
    +
    + ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport +
    +
    + + +
    + + +**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. + +If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. + +If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not include Non-Publishing Standard Glyph in the candidate list* +- GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. + +If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: + +- 0x0001 // JIS208 area +- 0x0002 // NEC special char code +- 0x0004 // NEC selected IBM extended code +- 0x0008 // IBM extended code +- 0x0010 // Half width katakana code +- 0x0100 // EUDC(GAIJI) +- 0x0200 // S-JIS unmapped area +- 0x0400 // Unicode char +- 0x0800 // surrogate char +- 0x1000 // IVS char +- 0xFFFF // no definition. + +If you disable or do not configure this policy setting, no range of characters are filtered by default. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict character code range of conversion* +- GP name: *L_RestrictCharacterCodeRangeOfConversion* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffCustomDictionary** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. + +If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. + +If you disable or do not configure this policy setting, the custom dictionary can be used by default. + +For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. + +This policy setting is applied to Japanese Microsoft IME. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off custom dictionary* +- GP name: *L_TurnOffCustomDictionary* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. + +If you enable this policy setting, history-based predictive input is turned off. + +If you disable or do not configure this policy setting, history-based predictive input is on by default. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off history-based predictive input* +- GP name: *L_TurnOffHistorybasedPredictiveInput* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffInternetSearchIntegration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. + +Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. + +If you enable this policy setting, you cannot use search integration. + +If you disable or do not configure this policy setting, the search integration function can be used by default. + +This policy setting applies to Japanese Microsoft IME. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet search integration* +- GP name: *L_TurnOffInternetSearchIntegration* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffOpenExtendedDictionary** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. + +If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. + +For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. + +If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. + +This policy setting is applied to Japanese Microsoft IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Open Extended Dictionary* +- GP name: *L_TurnOffOpenExtendedDictionary* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. + +If you enable this policy setting, the auto-tuning data is not saved to file. + +If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. + +This policy setting applies to Japanese Microsoft IME only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off saving auto-tuning data to file* +- GP name: *L_TurnOffSavingAutoTuningDataToFile* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnCloudCandidate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. + +This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on cloud candidate* +- GP name: *L_TurnOnCloudCandidate* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnCloudCandidateCHS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on cloud candidate for CHS* +- GP name: *L_TurnOnCloudCandidateCHS* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnLexiconUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. + +If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on lexicon update* +- GP name: *L_TurnOnLexiconUpdate* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnLiveStickers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Live Sticker* +- GP name: *L_TurnOnLiveStickers* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. + +If you enable this policy setting, misconversion logging is turned on. + +If you disable or do not configure this policy setting, misconversion logging is turned off. + +This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on misconversion logging for misconversion report* +- GP name: *L_TurnOnMisconversionLoggingForMisconversionReport* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index ec7948b584..1dd5a4e6cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md new file mode 100644 index 0000000000..7e217f1364 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -0,0 +1,477 @@ +--- +title: Policy CSP - ADMX_EnhancedStorage +description: Policy CSP - ADMX_EnhancedStorage +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EnhancedStorage +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_EnhancedStorage policies + +
    +
    + ADMX_EnhancedStorage/ApprovedEnStorDevices +
    +
    + ADMX_EnhancedStorage/ApprovedSilos +
    +
    + ADMX_EnhancedStorage/DisablePasswordAuthentication +
    +
    + ADMX_EnhancedStorage/DisallowLegacyDiskDevices +
    +
    + ADMX_EnhancedStorage/LockDeviceOnMachineLock +
    +
    + ADMX_EnhancedStorage/RootHubConnectedEnStorDevices +
    +
    + + +
    + + +**ADMX_EnhancedStorage/ApprovedEnStorDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. + +If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. + +If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure list of Enhanced Storage devices usable on your computer* +- GP name: *ApprovedEnStorDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/ApprovedSilos** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. + +If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. + +If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure list of IEEE 1667 silos usable on your computer* +- GP name: *ApprovedSilos* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/DisablePasswordAuthentication** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. + +If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. + +If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow password authentication of Enhanced Storage devices* +- GP name: *DisablePasswordAuthentication* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/DisallowLegacyDiskDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. + +If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. + +If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow non-Enhanced Storage removable devices* +- GP name: *DisallowLegacyDiskDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/LockDeviceOnMachineLock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. + +This policy setting is supported in Windows Server SKUs only. + +If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. + +If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock Enhanced Storage when the computer is locked* +- GP name: *LockDeviceOnMachineLock* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. + +If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. + +If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only USB root hub connected Enhanced Storage devices* +- GP name: *RootHubConnectedEnStorDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md new file mode 100644 index 0000000000..5f3fc5e33b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -0,0 +1,2202 @@ +--- +title: Policy CSP - ADMX_ErrorReporting +description: Policy CSP - ADMX_ErrorReporting +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ErrorReporting +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ErrorReporting policies + +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneDef +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneEx +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneInc +
    +
    + ADMX_ErrorReporting/PCH_ConfigureReport +
    +
    + ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults +
    +
    + ADMX_ErrorReporting/WerArchive_1 +
    +
    + ADMX_ErrorReporting/WerArchive_2 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_2 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_2 +
    +
    + ADMX_ErrorReporting/WerCER +
    +
    + ADMX_ErrorReporting/WerConsentCustomize_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_2 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_1 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_2 +
    +
    + ADMX_ErrorReporting/WerDisable_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_2 +
    +
    + ADMX_ErrorReporting/WerNoLogging_1 +
    +
    + ADMX_ErrorReporting/WerNoLogging_2 +
    +
    + ADMX_ErrorReporting/WerNoSecondLevelData_1 +
    +
    + ADMX_ErrorReporting/WerQueue_1 +
    +
    + ADMX_ErrorReporting/WerQueue_2 +
    +
    + + +
    + + +**ADMX_ErrorReporting/PCH_AllOrNoneDef** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. + +If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. + +If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. + +If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. + +This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. + +For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default application reporting settings* +- GP name: *PCH_AllOrNoneDef* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_AllOrNoneEx** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. + +If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. + +If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to never report errors for* +- GP name: *PCH_AllOrNoneEx* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_AllOrNoneInc** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors. + +To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. + +If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. + +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) + +If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. + +Also see the "Default Application Reporting" and "Application Exclusion List" policies. + +This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to always report errors for* +- GP name: *PCH_AllOrNoneInc* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_ConfigureReport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. + +This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + +> [!IMPORTANT] +> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. + +If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: + +- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. + +- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports. + +- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports. + +- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. + +- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. + +- "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. + +If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. + +If you disable this policy setting, configuration settings in the policy setting are left blank. + +See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Error Reporting* +- GP name: *PCH_ConfigureReport* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. + +If you enable this policy setting, Windows Error Reporting includes operating system errors. + +If you disable this policy setting, operating system errors are not included in error reports. + +If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. + +See also the Configure Error Reporting policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report operating system errors* +- GP name: *PCH_ReportOperatingSystemFaults* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerArchive_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Archive* +- GP name: *WerArchive_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerArchive_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Archive* +- GP name: *WerArchive_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerAutoApproveOSDumps_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically send memory dumps for OS-generated error reports* +- GP name: *WerAutoApproveOSDumps_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerAutoApproveOSDumps_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically send memory dumps for OS-generated error reports* +- GP name: *WerAutoApproveOSDumps_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassDataThrottling_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not throttle additional data* +- GP name: *WerBypassDataThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassDataThrottling_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not throttle additional data* +- GP name: *WerBypassDataThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send data when on connected to a restricted/costed network* +- GP name: *WerBypassNetworkCostThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send data when on connected to a restricted/costed network* +- GP name: *WerBypassNetworkCostThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassPowerThrottling_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send additional data when on battery power* +- GP name: *WerBypassPowerThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassPowerThrottling_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send additional data when on battery power* +- GP name: *WerBypassPowerThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerCER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). + +If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. + +If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Corporate Windows Error Reporting* +- GP name: *WerCER* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerConsentCustomize_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. + +- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + +- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + +- 4 (Send all data): Any data requested by Microsoft is sent automatically. + +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Customize consent settings* +- GP name: *WerConsentCustomize_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerConsentOverride_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore custom consent settings* +- GP name: *WerConsentOverride_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerConsentOverride_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore custom consent settings* +- GP name: *WerConsentOverride_2* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerDefaultConsent_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Default consent* +- GP name: *WerDefaultConsent_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerDefaultConsent_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Default consent* +- GP name: *WerDefaultConsent_2* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerDisable_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. + +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Windows Error Reporting* +- GP name: *WerDisable_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerExlusion_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to be excluded* +- GP name: *WerExlusion_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerExlusion_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to be excluded* +- GP name: *WerExlusion_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerNoLogging_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable logging* +- GP name: *WerNoLogging_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerNoLogging_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable logging* +- GP name: *WerNoLogging_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerNoSecondLevelData_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. + +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not send additional data* +- GP name: *WerNoSecondLevelData_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerQueue_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Queue* +- GP name: *WerQueue_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerQueue_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Queue* +- GP name: *WerQueue_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index e47d548237..449bed0b21 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -78,7 +78,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. @@ -151,7 +151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. @@ -187,14 +187,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md new file mode 100644 index 0000000000..ea4b084c38 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -0,0 +1,1589 @@ +--- +title: Policy CSP - ADMX_EventLog +description: Policy CSP - ADMX_EventLog +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EventLog +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_EventLog policies + +
    +
    + ADMX_EventLog/Channel_LogEnabled +
    +
    + ADMX_EventLog/Channel_LogFilePath_1 +
    +
    + ADMX_EventLog/Channel_LogFilePath_2 +
    +
    + ADMX_EventLog/Channel_LogFilePath_3 +
    +
    + ADMX_EventLog/Channel_LogFilePath_4 +
    +
    + ADMX_EventLog/Channel_LogMaxSize_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_1 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_2 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_1 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_2 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_3 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_5 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_6 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_7 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_8 +
    +
    + ADMX_EventLog/Channel_Log_Retention_2 +
    +
    + ADMX_EventLog/Channel_Log_Retention_3 +
    +
    + ADMX_EventLog/Channel_Log_Retention_4 +
    +
    + + +
    + + +**ADMX_EventLog/Channel_LogEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging. + +If you enable or do not configure this policy setting, then events can be written to this log. + +If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on logging* +- GP name: *Channel_LogEnabled* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on logging* +- GP name: *Channel_LogFilePath_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogMaxSize_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_5** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_5* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_6** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. + +If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +If you disable this policy setting, only system software and administrators can read or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_6* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_7** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_7* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_8** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_8* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_Retention_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_Retention_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_Retention_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md new file mode 100644 index 0000000000..da74235b97 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -0,0 +1,400 @@ +--- +title: Policy CSP - ADMX_Explorer +description: Policy CSP - ADMX_Explorer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Explorer +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Explorer policies + +
    +
    + ADMX_Explorer/AdminInfoUrl +
    +
    + ADMX_Explorer/AlwaysShowClassicMenu +
    +
    + ADMX_Explorer/DisableRoamedProfileInit +
    +
    + ADMX_Explorer/PreventItemCreationInUsersFilesFolder +
    +
    + ADMX_Explorer/TurnOffSPIAnimations +
    +
    + + +
    + + +**ADMX_Explorer/AdminInfoUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set a support web page link* +- GP name: *AdminInfoUrl* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/AlwaysShowClassicMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures File Explorer to always display the menu bar. + +> [!NOTE] +> By default, the menu bar is not displayed in File Explorer. + +If you enable this policy setting, the menu bar will be displayed in File Explorer. + +If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer. + +> [!NOTE] +> When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display the menu bar in File Explorer* +- GP name: *AlwaysShowClassicMenu* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/DisableRoamedProfileInit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. + +If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time* +- GP name: *DisableRoamedProfileInit* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/PreventItemCreationInUsersFilesFolder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. + +If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + +If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + +> [!NOTE] +> Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from adding files to the root of their Users Files folder.* +- GP name: *PreventItemCreationInUsersFilesFolder* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/TurnOffSPIAnimations** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off common control and window animations* +- GP name: *TurnOffSPIAnimations* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 37b6b9a826..a1b52fa8fd 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. @@ -104,14 +104,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index fbdc148b37..768b9ea68d 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -93,7 +93,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. +Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. > [!TIP] @@ -157,7 +157,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. +Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. @@ -224,7 +224,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. +Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. > [!TIP] @@ -287,7 +287,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. +Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. > [!TIP] @@ -350,7 +350,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. +Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. > [!TIP] @@ -413,7 +413,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. @@ -479,7 +479,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: +Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: - Local Link to a Local Target - Local Link to a Remote Target @@ -552,7 +552,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. +Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. > [!TIP] @@ -575,14 +575,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index 845c514983..c1b7ee3ab0 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -91,7 +91,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, users must manually select the files they wish to make available offline. @@ -166,7 +166,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether individual redirected shell folders are available offline by default. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. @@ -240,7 +240,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. @@ -309,7 +309,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -381,7 +381,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -452,7 +452,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -525,7 +525,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -557,14 +557,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md new file mode 100644 index 0000000000..4a4c00cd36 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -0,0 +1,1897 @@ +--- +title: Policy CSP - ADMX_Globalization +description: Policy CSP - ADMX_Globalization +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/14/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Globalization +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Globalization policies + +
    +
    + ADMX_Globalization/BlockUserInputMethodsForSignIn +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_1 +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_2 +
    +
    + ADMX_Globalization/HideAdminOptions +
    +
    + ADMX_Globalization/HideCurrentLocation +
    +
    + ADMX_Globalization/HideLanguageSelection +
    +
    + ADMX_Globalization/HideLocaleSelectAndCustomize +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_1 +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_2 +
    +
    + ADMX_Globalization/LocaleSystemRestrict +
    +
    + ADMX_Globalization/LocaleUserRestrict_1 +
    +
    + ADMX_Globalization/LocaleUserRestrict_2 +
    +
    + ADMX_Globalization/LockMachineUILanguage +
    +
    + ADMX_Globalization/LockUserUILanguage +
    +
    + ADMX_Globalization/PreventGeoIdChange_1 +
    +
    + ADMX_Globalization/PreventGeoIdChange_2 +
    +
    + ADMX_Globalization/PreventUserOverrides_1 +
    +
    + ADMX_Globalization/PreventUserOverrides_2 +
    +
    + ADMX_Globalization/RestrictUILangSelect +
    +
    + ADMX_Globalization/TurnOffAutocorrectMisspelledWords +
    +
    + ADMX_Globalization/TurnOffHighlightMisspelledWords +
    +
    + ADMX_Globalization/TurnOffInsertSpace +
    +
    + ADMX_Globalization/TurnOffOfferTextPredictions +
    +
    + ADMX_Globalization/Y2K +
    +
    + + +
    + + +**ADMX_Globalization/BlockUserInputMethodsForSignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. + +Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. + +If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page. + +If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow copying of user input methods to the system account for sign-in* +- GP name: *BlockUserInputMethodsForSignIn* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/CustomLocalesNoSelect_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. + +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. + +If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. + +If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. + +If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow selection of Custom Locales* +- GP name: *CustomLocalesNoSelect_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/CustomLocalesNoSelect_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. + +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. + +If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. + +If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. + +If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow selection of Custom Locales* +- GP name: *CustomLocalesNoSelect_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideAdminOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel. + +Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user cannot see the Administrative options. + +If you disable or do not configure this policy setting, the user can see the Administrative options. + +> [!NOTE] +> Even if a user can see the Administrative options, other policies may prevent them from modifying the values. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Regional and Language Options administrative options* +- GP name: *HideAdminOptions* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideCurrentLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically. + +If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID). + +> [!NOTE] +> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the geographic location option* +- GP name: *HideCurrentLocation* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideLanguageSelection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. If you disable or do not configure this policy setting, the user sees the option for changing the UI language. + +> [!NOTE] +> Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the select language group options* +- GP name: *HideLanguageSelection* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideLocaleSelectAndCustomize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel. + +This policy setting is used only to simplify the Regional and Language Options control panel. + +If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically. + +If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide user locale selection and customization options* +- GP name: *HideLocaleSelectAndCustomize* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/ImplicitDataCollectionOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. + +This policy setting is related to the "Turn off handwriting personalization" policy setting. + +> [!NOTE] +> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. +> +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic learning* +- GP name: *ImplicitDataCollectionOff_1* +- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/ImplicitDataCollectionOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. + +This policy setting is related to the "Turn off handwriting personalization" policy setting. + +> [!NOTE] +> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. +> +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic learning* +- GP name: *ImplicitDataCollectionOff_2* +- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LocaleSystemRestrict** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. + +The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). + +If you enable this policy setting, administrators can select a system locale only from the specified system locale list. + +If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict system locales* +- GP name: *LocaleSystemRestrict* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LocaleUserRestrict_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. + +The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). + +If you enable this policy setting, only locales in the specified locale list can be selected by users. + +If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict user locales* +- GP name: *LocaleUserRestrict_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LocaleUserRestrict_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. + +The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). + +If you enable this policy setting, only locales in the specified locale list can be selected by users. + +If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. + +If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict user locales* +- GP name: *LocaleUserRestrict_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LockMachineUILanguage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users. + +This is a policy setting for computers with more than one UI language installed. + +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages. + +If you disable or do not configure this policy setting, the user can specify which UI language is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restricts the UI language Windows uses for all logged users* +- GP name: *LockMachineUILanguage* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LockUserUILanguage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users. + +This policy setting applies to computers with more than one UI language installed. + +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. + +If you disable or do not configure this policy setting, there is no restriction on which language users should use. + +To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restricts the UI languages Windows should use for the selected user* +- GP name: *LockUserUILanguage* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventGeoIdChange_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). + +If you enable this policy setting, users cannot change their GeoID. + +If you disable or do not configure this policy setting, users may select any GeoID. + +If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow changing of geographic location* +- GP name: *PreventGeoIdChange_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventGeoIdChange_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). + +If you enable this policy setting, users cannot change their GeoID. + +If you disable or do not configure this policy setting, users may select any GeoID. + +If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow changing of geographic location* +- GP name: *PreventGeoIdChange_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventUserOverrides_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. + +Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. + +The user cannot customize their user locale with user overrides. + +If this policy setting is disabled or not configured, then the user can customize their user locale overrides. + +If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. + +To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow user override of locale settings* +- GP name: *PreventUserOverrides_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventUserOverrides_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. + +Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. + +The user cannot customize their user locale with user overrides. + +If this policy setting is disabled or not configured, then the user can customize their user locale overrides. + +If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. + +To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow user override of locale settings* +- GP name: *PreventUserOverrides_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/RestrictUILangSelect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. + +If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. + +To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting. + +If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict selection of Windows menus and dialogs language* +- GP name: *RestrictUILangSelect* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffAutocorrectMisspelledWords** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. + +If the policy is Enabled, then the option will be locked to not autocorrect misspelled words. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off autocorrect misspelled words* +- GP name: *TurnOffAutocorrectMisspelledWords* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffHighlightMisspelledWords** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. + +If the policy is Enabled, then the option will be locked to not highlight misspelled words. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off highlight misspelled words* +- GP name: *TurnOffHighlightMisspelledWords* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffInsertSpace** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. + +If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off insert a space after selecting a text prediction* +- GP name: *TurnOffInsertSpace* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffOfferTextPredictions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. + +If the policy is Enabled, then the option will be locked to not offer text predictions. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off offer text predictions as I type* +- GP name: *TurnOffOfferTextPredictions* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/Y2K** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years. + +This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. + +If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. + +For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999. + +If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Century interpretation for Year 2000* +- GP name: *Y2K* +- GP path: *System* +- GP ADMX file name: *Globalization.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md new file mode 100644 index 0000000000..1b089bd628 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -0,0 +1,3411 @@ +--- +title: Policy CSP - ADMX_GroupPolicy +description: Policy CSP - ADMX_GroupPolicy +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/21/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_GroupPolicy +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_GroupPolicy policies + +
    +
    + ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP +
    +
    + ADMX_GroupPolicy/CSE_AppMgmt +
    +
    + ADMX_GroupPolicy/CSE_DiskQuota +
    +
    + ADMX_GroupPolicy/CSE_EFSRecovery +
    +
    + ADMX_GroupPolicy/CSE_FolderRedirection +
    +
    + ADMX_GroupPolicy/CSE_IEM +
    +
    + ADMX_GroupPolicy/CSE_IPSecurity +
    +
    + ADMX_GroupPolicy/CSE_Registry +
    +
    + ADMX_GroupPolicy/CSE_Scripts +
    +
    + ADMX_GroupPolicy/CSE_Security +
    +
    + ADMX_GroupPolicy/CSE_Wired +
    +
    + ADMX_GroupPolicy/CSE_Wireless +
    +
    + ADMX_GroupPolicy/CorpConnSyncWaitTime +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 +
    +
    + ADMX_GroupPolicy/DisableAOACProcessing +
    +
    + ADMX_GroupPolicy/DisableAutoADMUpdate +
    +
    + ADMX_GroupPolicy/DisableBackgroundPolicy +
    +
    + ADMX_GroupPolicy/DisableLGPOProcessing +
    +
    + ADMX_GroupPolicy/DisableUsersFromMachGP +
    +
    + ADMX_GroupPolicy/EnableCDP +
    +
    + ADMX_GroupPolicy/EnableLogonOptimization +
    +
    + ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU +
    +
    + ADMX_GroupPolicy/EnableMMX +
    +
    + ADMX_GroupPolicy/EnforcePoliciesOnly +
    +
    + ADMX_GroupPolicy/FontMitigation +
    +
    + ADMX_GroupPolicy/GPDCOptions +
    +
    + ADMX_GroupPolicy/GPTransferRate_1 +
    +
    + ADMX_GroupPolicy/GPTransferRate_2 +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRate +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateDC +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateUser +
    +
    + ADMX_GroupPolicy/LogonScriptDelay +
    +
    + ADMX_GroupPolicy/NewGPODisplayName +
    +
    + ADMX_GroupPolicy/NewGPOLinksDisabled +
    +
    + ADMX_GroupPolicy/OnlyUseLocalAdminFiles +
    +
    + ADMX_GroupPolicy/ProcessMitigationOptions +
    +
    + ADMX_GroupPolicy/RSoPLogging +
    +
    + ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy +
    +
    + ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess +
    +
    + ADMX_GroupPolicy/SlowlinkDefaultToAsync +
    +
    + ADMX_GroupPolicy/SyncWaitTime +
    +
    + ADMX_GroupPolicy/UserPolicyMode +
    +
    + + +
    + + +**ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. + +This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. + +If you do not configure this policy setting: + +- No user-based policy settings are applied from the user's forest. +- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. +- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. +- An event log message (1109) is posted, stating that loopback was invoked in Replace mode. + +If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. + +If you disable this policy setting, the behavior is the same as if it is not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow cross-forest user policy and roaming user profiles* +- GP name: *AllowX-ForestPolicy-and-RUP* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_AppMgmt** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when software installation policies are updated. + +This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer. + +This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure software Installation policy processing* +- GP name: *CSE_AppMgmt* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_DiskQuota** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when disk quota policies are updated. + +This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas. + +This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure disk quota policy processing* +- GP name: *CSE_DiskQuota* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_EFSRecovery** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when encryption policies are updated. + +This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings. + +It overrides customized settings that the program implementing the encryption policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure EFS recovery policy processing* +- GP name: *CSE_EFSRecovery* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_FolderRedirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when folder redirection policies are updated. + +This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. + +This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure folder redirection policy processing* +- GP name: *CSE_FolderRedirection* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_IEM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when Internet Explorer Maintenance policies are updated. + +This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance. + +This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Internet Explorer Maintenance policy processing* +- GP name: *CSE_IEM* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_IPSecurity** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when IP security policies are updated. + +This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine. + +This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure IP security policy processing* +- GP name: *CSE_IPSecurity* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Registry** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when registry policies are updated. + +This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure registry policy processing* +- GP name: *CSE_Registry* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Scripts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign shared scripts are updated. + +This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure scripts policy processing* +- GP name: *CSE_Scripts* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Security** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when security policies are updated. + +This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. + +This policy setting overrides customized settings that the program implementing the security policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure security policy processing* +- GP name: *CSE_Security* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Wired** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wired network settings are updated. + +This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies. + +It overrides customized settings that the program implementing the wired network set when it was installed. + +If you enable this policy, you can use the check boxes provided to change the options. + +If you disable this setting or do not configure it, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure wired policy processing* +- GP name: *CSE_Wired* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Wireless** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wireless network settings are updated. + +This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies. + +It overrides customized settings that the program implementing the wireless network set when it was installed. + +If you enable this policy, you can use the check boxes provided to change the options. + +If you disable this setting or do not configure it, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure wireless policy processing* +- GP name: *CSE_Wireless* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CorpConnSyncWaitTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. + +If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify workplace connectivity wait time for policy processing* +- GP name: *CorpConnSyncWaitTime* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DenyRsopToInteractiveUser_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +If you enable this policy setting, interactive users cannot generate RSoP data. + +If you disable or do not configure this policy setting, interactive users can generate RSoP. + +> [!NOTE] +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. +> +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. +> +> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Determine if interactive users can generate Resultant Set of Policy data* +- GP name: *DenyRsopToInteractiveUser_1* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DenyRsopToInteractiveUser_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +If you enable this policy setting, interactive users cannot generate RSoP data. + +If you disable or do not configure this policy setting, interactive users can generate RSoP + +> [!NOTE] +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. +> +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. +> +> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Determine if interactive users can generate Resultant Set of Policy data* +- GP name: *DenyRsopToInteractiveUser_2* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableAOACProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the Group Policy Client Service from stopping when idle. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Group Policy Client Service AOAC optimization* +- GP name: *DisableAOACProcessing* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableAutoADMUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. + +Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. + +By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. + +If the local files are newer, they are copied into the GPO. + +Changing the status of this setting to Enabled will keep any source files from copying to the GPO. + +Changing the status of this setting to Disabled will enforce the default behavior. + +Files will always be copied to the GPO if they have a later timestamp. + +> [!NOTE] +> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic update of ADM files* +- GP name: *DisableAutoADMUpdate* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableBackgroundPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. + +If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. + +If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. + +> [!NOTE] +> If you make changes to this policy setting, you must restart your computer for it to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off background refresh of Group Policy* +- GP name: *DisableBackgroundPolicy* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableLGPOProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. + +By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. + +If you enable this policy setting, the system does not process and apply any Local GPOs. + +If you disable or do not configure this policy setting, Local GPOs continue to be applied. + +> [!NOTE] +> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Local Group Policy Objects processing* +- GP name: *DisableLGPOProcessing* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableUsersFromMachGP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control a user's ability to invoke a computer policy refresh. + +If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. + +If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. + +Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. + +Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval. + +> [!NOTE] +> If you make changes to this policy setting, you must restart your computer for it to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove users' ability to invoke machine policy refresh* +- GP name: *DisableUsersFromMachGP* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableCDP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). + +If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. + +If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences. + +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Continue experiences on this device* +- GP name: *EnableCDP* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableLogonOptimization** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior. + +If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + +The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. + +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. + +If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy Caching* +- GP name: *EnableLogonOptimization* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. + +If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + +The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. + +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. + +If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Group Policy Caching for Servers* +- GP name: *EnableLogonOptimizationOnServerSKU* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableMMX** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. + +If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. + +If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. + +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Phone-PC linking on this device* +- GP name: *EnableMMX* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnforcePoliciesOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents administrators from viewing or using Group Policy preferences. + +A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. + +If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear. + +If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. + +> [!NOTE] +> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." + +In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enforce Show Policies Only* +- GP name: *EnforcePoliciesOnly* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/FontMitigation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. + +This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Untrusted Font Blocking* +- GP name: *DisableUsersFromMachGP* +- GP path: *System\Mitigation Options* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GPDCOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. + +If you enable this setting, you can which domain controller is used according to these options: + +"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. + +"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use. + +"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. + +If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. + +> [!NOTE] +> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy domain controller selection* +- GP name: *GPDCOptions* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GPTransferRate_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy. + +If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. + +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. + +If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. + +If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. + +This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. + +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy slow link detection* +- GP name: *GPTransferRate_1* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GPTransferRate_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy. + +If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. + +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. + +If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. + +If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. + +This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. + +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy slow link detection* +- GP name: *GPTransferRate_2* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GroupPolicyRefreshRate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. + +In addition to background updates, Group Policy for the computer is always updated when the system starts. + +By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. + +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. + +The Set Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. + +This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy). + +This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled. + +> [!NOTE] +> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Group Policy refresh interval for computers* +- GP name: *GroupPolicyRefreshRate* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GroupPolicyRefreshRateDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. + +By default, Group Policy on the domain controllers is updated every five minutes. + +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. + +This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly. + +> [!NOTE] +> This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Group Policy refresh interval for domain controllers* +- GP name: *GroupPolicyRefreshRateDC* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GroupPolicyRefreshRateUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. + +In addition to background updates, Group Policy for users is always updated when users log on. + +By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. + +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. + +This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. + +> [!IMPORTANT] +> If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. + +> [!NOTE] +> This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). + +> [!TIP] +> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Group Policy refresh interval for users* +- GP name: *GroupPolicyRefreshRateUser* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/LogonScriptDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enter “0” to disable Logon Script Delay. + +This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. + +By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. + +If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. + +If you disable this policy setting, Group Policy will run scripts immediately after logon. + +If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Logon Script Delay* +- GP name: *LogonScriptDelay* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/NewGPODisplayName** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default display name for new Group Policy objects. + +This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. + +The display name can contain environment variables and can be a maximum of 255 characters long. + +If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set default name for new Group Policy objects* +- GP name: *NewGPODisplayName* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/NewGPOLinksDisabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create new Group Policy object links in the disabled state. + +If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. + +If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Create new Group Policy Object links disabled by default* +- GP name: *NewGPOLinksDisabled* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/OnlyUseLocalAdminFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you always use local ADM files for the Group Policy snap-in. + +By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. + +This leads to the following behavior: + +- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files. + +- If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO. + +You can change this behavior by using this setting. + +If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. + +This leads to the following behavior: + +- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. + +If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. + +> [!NOTE] +> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always use local ADM files for Group Policy Object Editor* +- GP name: *OnlyUseLocalAdminFiles* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/ProcessMitigationOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: + +PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) +Enables data execution prevention (DEP) for the child process + +PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) +Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. + +PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004) +Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. + +PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) +The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that do not have a base relocation section will not be loaded. + +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) +The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. + +For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: +???????????????0???????1???????1 + +Setting flags not specified here to any value other than ? results in undefined behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Process Mitigation Options* +- GP name: *ProcessMitigationOptions* +- GP path: *System\Mitigation Options* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/RSoPLogging** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. + +RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. + +If you enable this setting, RSoP logging is turned off. + +If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. + +> [!NOTE] +> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Resultant Set of Policy logging* +- GP name: *RSoPLogging* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable AD/DFS domain controller synchronization during policy refresh* +- GP name: *ResetDfsClientInfoDuringRefreshPolicy* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. + +When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. + +> [!NOTE] +> When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). + +If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. + +If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Direct Access connections as a fast network connection* +- GP name: *SlowLinkDefaultForDirectAccess* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/SlowlinkDefaultToAsync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. + +If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. +Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, +which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. +Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection +and Drive Maps preference extension will not be applied. + +> [!NOTE] +> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: +> +> - 1 - At the first computer startup after the client computer has joined the domain. +> - 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. + +If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Change Group Policy processing to run asynchronously when a slow network connection is detected.* +- GP name: *SlowlinkDefaultToAsync* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/SyncWaitTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. + +If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify startup policy processing wait time* +- GP name: *SyncWaitTime* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/UserPolicyMode** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. + +By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. + +If you enable this setting, you can select one of the following modes from the Mode box: + +"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. + +"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. + +If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. + +> [!NOTE] +> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure user Group Policy loopback processing mode* +- GP name: *UserPolicyMode* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index d705d091a0..3b42429ea9 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -18,7 +18,7 @@ manager: dansimp
    - + -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. @@ -154,7 +154,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. @@ -237,7 +237,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. @@ -311,7 +311,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. @@ -342,14 +342,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index 10d08651fc..ca46354852 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. @@ -152,7 +152,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can provide ratings for Help content. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can provide ratings for Help content. If you enable this policy setting, ratings controls are not added to Help content. @@ -222,7 +222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable this policy setting, users cannot participate in the Help Experience Improvement program. @@ -291,7 +291,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. @@ -318,14 +318,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md new file mode 100644 index 0000000000..63e72f5539 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -0,0 +1,1991 @@ +--- +title: Policy CSP - ADMX_ICM +description: Policy CSP - ADMX_ICM +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ICM +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ICM policies + +
    +
    + ADMX_ICM/CEIPEnable +
    +
    + ADMX_ICM/CertMgr_DisableAutoRootUpdates +
    +
    + ADMX_ICM/DisableHTTPPrinting_1 +
    +
    + ADMX_ICM/DisableWebPnPDownload_1 +
    +
    + ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate +
    +
    + ADMX_ICM/EventViewer_DisableLinks +
    +
    + ADMX_ICM/HSS_HeadlinesPolicy +
    +
    + ADMX_ICM/HSS_KBSearchPolicy +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_1 +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_2 +
    +
    + ADMX_ICM/NC_ExitOnISP +
    +
    + ADMX_ICM/NC_NoRegistration +
    +
    + ADMX_ICM/PCH_DoNotReport +
    +
    + ADMX_ICM/RemoveWindowsUpdate_ICM +
    +
    + ADMX_ICM/SearchCompanion_DisableFileUpdates +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_2 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_2 +
    +
    + ADMX_ICM/ShellPreventWPWDownload_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_2 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_1 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_2 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_1 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_2 +
    +
    + + +
    + + +**ADMX_ICM/CEIPEnable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. + +If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. + +If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. + +If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Customer Experience Improvement Program* +- GP name: *CEIPEnable* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/CertMgr_DisableAutoRootUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to automatically update root certificates using the Windows Update website. + +Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. + +If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. + +If you disable or do not configure this policy setting, your computer will contact the Windows Update website. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Automatic Root Certificates Update* +- GP name: *CertMgr_DisableAutoRootUpdates* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/DisableHTTPPrinting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow printing over HTTP from this client. + +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. + +> [!NOTE] +> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. + +If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. + +If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off printing over HTTP* +- GP name: *DisableHTTPPrinting_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/DisableWebPnPDownload_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow this client to download print driver packages over HTTP. + +To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. + +> [!NOTE] +> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. + +It only prohibits downloading drivers that are not already installed locally. + +If you enable this policy setting, print drivers cannot be downloaded over HTTP. + +If you disable or do not configure this policy setting, users can download print drivers over HTTP. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off downloading of print drivers over HTTP* +- GP name: *DisableWebPnPDownload_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. + +If you enable this policy setting, Windows Update is not searched when a new device is installed. + +If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. + +If you do not configure this policy setting, searching Windows Update is optional when installing a device. + +Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. + +> [!NOTE] +> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Update device driver searching* +- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/EventViewer_DisableLinks** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. + +The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred. + +If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description. + +If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. + +Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Event Viewer "Events.asp" links* +- GP name: *EventViewer_DisableLinks* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/HSS_HeadlinesPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to show the "Did you know?" section of Help and Support Center. + +This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. + +If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. + +If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. + +You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Help and Support Center "Did you know?" content* +- GP name: *HSS_HeadlinesPolicy* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/HSS_KBSearchPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. + +The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options. + +If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. + +If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Help and Support Center Microsoft Knowledge Base search* +- GP name: *HSS_KBSearchPolicy* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/InternetManagement_RestrictCommunication_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. + +If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. + +If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. + +If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict Internet communication* +- GP name: *InternetManagement_RestrictCommunication_1* +- GP path: *System\Internet Communication Management* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/InternetManagement_RestrictCommunication_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. + +If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. + +If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. + +If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict Internet communication* +- GP name: *InternetManagement_RestrictCommunication_2* +- GP path: *System\Internet Communication Management* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/NC_ExitOnISP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). + +If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. + +If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com* +- GP name: *NC_ExitOnISP* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/NC_NoRegistration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. + +If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. + +If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. + +Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Registration if URL connection is referring to Microsoft.com* +- GP name: *NC_NoRegistration* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/PCH_DoNotReport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not errors are reported to Microsoft. + +Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. + +If you enable this policy setting, users are not given the option to report errors. + +If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. + +This policy setting overrides any user setting made from the Control Panel for error reporting. + +Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Error Reporting* +- GP name: *PCH_DoNotReport* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/RemoveWindowsUpdate_ICM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to Windows Update. + +If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. + +If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. + +> [!NOTE] +> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off access to all Windows Update features* +- GP name: *RemoveWindowsUpdate_ICM* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/SearchCompanion_DisableFileUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. + +When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results. + +If you enable this policy setting, Search Companion does not download content updates during searches. + +If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. + +> [!NOTE] +> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Search Companion content file updates* +- GP name: *SearchCompanion_DisableFileUpdates* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseInternetOpenWith_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. + +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. + +If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Web service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet File Association service* +- GP name: *ShellNoUseInternetOpenWith_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseInternetOpenWith_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. + +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. + +If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Web service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet File Association service* +- GP name: *ShellNoUseInternetOpenWith_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseStoreOpenWith_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. + +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. + +If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off access to the Store* +- GP name: *ShellNoUseStoreOpenWith_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseStoreOpenWith_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. + +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. + +If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off access to the Store* +- GP name: *ShellNoUseStoreOpenWith_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellPreventWPWDownload_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. + +If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. + +If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. + +See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet download for Web publishing and online ordering wizards* +- GP name: *ShellPreventWPWDownload_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemoveOrderPrints_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +If you disable or do not configure this policy setting, the task is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Order Prints" picture task* +- GP name: *ShellRemoveOrderPrints_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemoveOrderPrints_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. + +If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +If you disable or do not configure this policy setting, the task is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Order Prints" picture task* +- GP name: *ShellRemoveOrderPrints_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemovePublishToWeb_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. + +The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. + +If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or do not configure this policy setting, the tasks are shown. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Publish to Web" task for files and folders* +- GP name: *ShellRemovePublishToWeb_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemovePublishToWeb_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. + +The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. + +If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. + +If you disable or do not configure this policy setting, the tasks are shown. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Publish to Web" task for files and folders* +- GP name: *ShellRemovePublishToWeb_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/WinMSG_NoInstrumentation_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. + +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. + +This information is used to improve the product in future releases. + +If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. + +If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program* +- GP name: *WinMSG_NoInstrumentation_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/WinMSG_NoInstrumentation_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. + +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. + +This information is used to improve the product in future releases. + +If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. + +If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. + +If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program* +- GP name: *WinMSG_NoInstrumentation_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 4a63715208..ec9b9e660a 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -89,7 +89,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. @@ -185,7 +185,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. @@ -256,7 +256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. +Available in the latest Windows 10 Insider Preview Build. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. @@ -331,7 +331,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to request compound authentication. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to request compound authentication. > [!NOTE] > For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. @@ -403,7 +403,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. @@ -472,7 +472,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the domain controller provides information about previous logons to client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the domain controller provides information about previous logons to client computers. If you enable this policy setting, the domain controller provides the information message about previous logons. @@ -504,14 +504,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md new file mode 100644 index 0000000000..7f36359852 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -0,0 +1,641 @@ +--- +title: Policy CSP - ADMX_Kerberos +description: Policy CSP - ADMX_Kerberos +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Kerberos +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Kerberos policies + +
    +
    + ADMX_Kerberos/AlwaysSendCompoundId +
    +
    + ADMX_Kerberos/DevicePKInitEnabled +
    +
    + ADMX_Kerberos/HostToRealm +
    +
    + ADMX_Kerberos/KdcProxyDisableServerRevocationCheck +
    +
    + ADMX_Kerberos/KdcProxyServer +
    +
    + ADMX_Kerberos/MitRealms +
    +
    + ADMX_Kerberos/ServerAcceptsCompound +
    +
    + ADMX_Kerberos/StrictTarget +
    +
    + + +
    + + +**ADMX_Kerberos/AlwaysSendCompoundId** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. + +> [!NOTE] +> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. + +If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. + +If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always send compound authentication first* +- GP name: *AlwaysSendCompoundId* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/DevicePKInitEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. + +This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. + +If you enable this policy setting, the device's credentials will be selected based on the following options: + +- Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. +- Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. + +If you disable this policy setting, certificates will never be used. + +If you do not configure this policy setting, Automatic will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Support device authentication using certificate* +- GP name: *DevicePKInitEnabled* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/HostToRealm** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. + +If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. + +If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define host name-to-Kerberos realm mappings* +- GP name: *HostToRealm* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. + +If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. +Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. + +If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers* +- GP name: *KdcProxyDisableServerRevocationCheck* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/KdcProxyServer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. + +If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify KDC proxy servers for Kerberos clients* +- GP name: *KdcProxyServer* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/MitRealms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. + +If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. + +If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define interoperable Kerberos V5 realm settings* +- GP name: *MitRealms* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/ServerAcceptsCompound** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication. + +Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. + +If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: + +- Never: Compound authentication is never provided for this computer account. +- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. +- Always: Compound authentication is always provided for this computer account. + +If you disable this policy setting, Never will be used. + +If you do not configure this policy setting, Automatic will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Support compound authentication* +- GP name: *ServerAcceptsCompound* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/StrictTarget** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. + +If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. + +If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require strict target SPN match on remote procedure calls* +- GP name: *StrictTarget* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index ddaddd01f1..74d7cb2b32 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the SMB server. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB server. If you enable this policy setting, cipher suites are prioritized in the order specified. @@ -172,7 +172,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configuration @@ -255,7 +255,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. @@ -338,7 +338,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. @@ -367,15 +367,15 @@ ADMX Info:
    Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md new file mode 100644 index 0000000000..96da8caef4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -0,0 +1,285 @@ +--- +title: Policy CSP - ADMX_LanmanWorkstation +description: Policy CSP - ADMX_LanmanWorkstation +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LanmanWorkstation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_LanmanWorkstation policies + +
    +
    + ADMX_LanmanWorkstation/Pol_CipherSuiteOrder +
    +
    + ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles +
    +
    + ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares +
    +
    + + +
    + + +**ADMX_LanmanWorkstation/Pol_CipherSuiteOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB client. + +If you enable this policy setting, cipher suites are prioritized in the order specified. + +If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. + +SMB 3.11 cipher suites: + +- AES_128_GCM +- AES_128_CCM +- AES_256_GCM +- AES_256_CCM + +> [!NOTE] +> AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore. + +SMB 3.0 and 3.02 cipher suites: + +- AES_128_CCM + +How to modify this setting: + +Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. + +> [!NOTE] +> When configuring this security setting, changes will not take effect until you restart Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Cipher suite order* +- GP name: *Pol_CipherSuiteOrder* +- GP path: *Network\Lanman Workstation* +- GP ADMX file name: *LanmanWorkstation.admx* + + + +
    + + +**ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. + +If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. + +If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. + +> [!NOTE] +> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Handle Caching on Continuous Availability Shares* +- GP name: *Pol_EnableHandleCachingForCAFiles* +- GP path: *Network\Lanman Workstation* +- GP ADMX file name: *LanmanWorkstation.admx* + + + +
    + + +**ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. + +If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. + +If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. + +> [!NOTE] +> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Offline Files Availability on Continuous Availability Shares* +- GP name: *Pol_EnableOfflineFilesforCAShares* +- GP path: *Network\Lanman Workstation* +- GP ADMX file name: *LanmanWorkstation.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index d4f25831ab..d8eee0b351 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Mapper I/O network protocol driver. +Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. @@ -148,7 +148,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Responder network protocol driver. +Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. @@ -177,14 +177,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md new file mode 100644 index 0000000000..b463924f33 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -0,0 +1,1208 @@ +--- +title: Policy CSP - ADMX_Logon +description: Policy CSP - ADMX_Logon +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/21/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Logon +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Logon policies + +
    +
    + ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin +
    +
    + ADMX_Logon/DisableAcrylicBackgroundOnLogon +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_2 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_2 +
    +
    + ADMX_Logon/DisableStatusMessages +
    +
    + ADMX_Logon/DontEnumerateConnectedUsers +
    +
    + ADMX_Logon/NoWelcomeTips_1 +
    +
    + ADMX_Logon/NoWelcomeTips_2 +
    +
    + ADMX_Logon/Run_1 +
    +
    + ADMX_Logon/Run_2 +
    +
    + ADMX_Logon/SyncForegroundPolicy +
    +
    + ADMX_Logon/UseOEMBackground +
    +
    + ADMX_Logon/VerboseStatus +
    +
    + + +
    + + +**ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy prevents the user from showing account details (email address or user name) on the sign-in screen. + +If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. + +If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block user from showing account details on sign-in* +- GP name: *BlockUserFromShowingAccountDetailsOnSignin* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableAcrylicBackgroundOnLogon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the acrylic blur effect on logon background image. + +If you enable this policy, the logon background image shows without blur. + +If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show clear logon background* +- GP name: *DisableAcrylicBackgroundOnLogon* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunLegacy_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list. + +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the legacy run list* +- GP name: *DisableExplorerRunLegacy_1* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunLegacy_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list. + +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the legacy run list* +- GP name: *DisableExplorerRunLegacy_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunOnceLegacy_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists. + +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run-once list. + +If you disable or do not configure this policy setting, the system runs the programs in the run-once list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the run once list* +- GP name: *DisableExplorerRunOnceLegacy_1* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunOnceLegacy_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists. + +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run-once list. + +If you disable or do not configure this policy setting, the system runs the programs in the run-once list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the run once list* +- GP name: *DisableExplorerRunOnceLegacy_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableStatusMessages** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting suppresses system status messages. + +If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. + +If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Boot / Shutdown / Logon / Logoff status messages* +- GP name: *DisableStatusMessages* +- GP path: *System* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DontEnumerateConnectedUsers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents connected users from being enumerated on domain-joined computers. + +If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. + +If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not enumerate connected users on domain-joined computers* +- GP name: *DontEnumerateConnectedUsers* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/NoWelcomeTips_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. + +If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. + +Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. + +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. + +This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the Getting Started welcome screen at logon* +- GP name: *NoWelcomeTips_1* +- GP path: *System* +- GP ADMX file name: *Logon.admx* + + + + +
    + + +**ADMX_Logon/NoWelcomeTips_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. + +If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. + +Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. + +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the Getting Started welcome screen at logon* +- GP name: *NoWelcomeTips_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/Run_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. + +If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. + +To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. + +If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. + +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run these programs at user logon* +- GP name: *Run_1* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/Run_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. + +If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. + +To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. + +If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. + +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run these programs at user logon* +- GP name: *Run_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/SyncForegroundPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. + +Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. + +If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized. + +If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. + +On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). + +If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon: + +- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and +- The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\\. + +If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). + +If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. + +> [!NOTE] +> +> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. +> - If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always wait for the network at computer startup and logon* +- GP name: *SyncForegroundPolicy* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/UseOEMBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores Windows Logon Background. + +This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. + +If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always use custom logon background* +- GP name: *UseOEMBackground* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/VerboseStatus** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to display highly detailed status messages. + +This policy setting is designed for advanced users who require this information. + +If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. + +If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes. + +> [!NOTE] +> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display highly detailed status messages* +- GP name: *VerboseStatus* +- GP path: *System* +- GP ADMX file name: *Logon.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md new file mode 100644 index 0000000000..995d54e477 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -0,0 +1,6853 @@ +--- +title: Policy CSP - ADMX_MicrosoftDefenderAntivirus +description: Policy CSP - ADMX_MicrosoftDefenderAntivirus +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/02/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MicrosoftDefenderAntivirus +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_MicrosoftDefenderAntivirus policies + +
    +
    + ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders +
    +
    + ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyBypass +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyServer +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/SpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown +
    +
    + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. + +If you enable or do not configure this setting, the antimalware service will load as a normal priority task. + +If you disable this setting, the antimalware service will load as a low priority task. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow antimalware service to startup with normal priority* +- GP name: *AllowFastServiceStartup* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Microsoft Defender Antivirus. + +If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. + +If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. + +If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. + +Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Microsoft Defender Antivirus* +- GP name: *DisableAntiSpywareDefender* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. + +Disabled (Default): +Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. + +Enabled: +Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios. + +Not configured: +Same as Disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Auto Exclusions* +- GP name: *DisableAutoExclusions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. + +Enabled – The Block at First Sight setting is turned on. +Disabled – The Block at First Sight setting is turned off. + +This feature requires these Group Policy settings to be set as follows: + +- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function. +- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function. +- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function. +- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the 'Block at First Sight' feature* +- GP name: *DisableBlockAtFirstSeen* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. + +If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. + +If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local administrator merge behavior for lists* +- GP name: *DisableLocalAdminMerge* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off real-time protection prompts for known malware detection. + +Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. + +If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections. + +If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off real-time protection* +- GP name: *DisableRealtimeMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. + +If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. + +If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off routine remediation* +- GP name: *DisableRoutinelyTakingAction* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Extension Exclusions* +- GP name: *Exclusions_Extensions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. + +As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Path Exclusions* +- GP name: *Exclusions_Paths* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Process Exclusions* +- GP name: *Exclusions_Processes* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Exclude files and paths from Attack Surface Reduction (ASR) rules. + +Enabled: +Specify the folders or files and resources that should be excluded from ASR rules in the Options section. +Enter each rule on a new line as a name-value pair: + +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item + +Disabled: +No exclusions will be applied to the ASR rules. + +Not configured: +Same as Disabled. + +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude files and paths from Attack Surface Reduction Rules* +- GP name: *ExploitGuard_ASR_ASROnlyExclusions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Set the state for each Attack Surface Reduction (ASR) rule. + +After enabling this setting, you can set each rule to the following in the Options section: + +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied + +Enabled: +Specify the state for each ASR rule under the Options section for this setting. +Enter each rule on a new line as a name-value pair: + +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule + +The following status IDs are permitted under the value column: +- 1 (Block) +- 0 (Off) +- 2 (Audit) + +Example: +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 + +Disabled: +No ASR rules will be configured. + +Not configured: +Same as Disabled. + +You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Attack Surface Reduction rules* +- GP name: *ExploitGuard_ASR_Rules* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Add additional applications that should be considered "trusted" by controlled folder access. + +These applications are allowed to modify or delete files in controlled folder access folders. + +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. + +Enabled: +Specify additional allowed applications in the Options section.. + +Disabled: +No additional applications will be added to the trusted list. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure allowed applications* +- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specify additional folders that should be guarded by the Controlled folder access feature. + +Files in these folders cannot be modified or deleted by untrusted applications. + +Default system folders are automatically protected. You can configure this setting to add additional folders. +The list of default system folders that are protected is shown in Windows Security. + +Enabled: +Specify additional folders that should be protected in the Options section. + +Disabled: +No additional folders will be protected. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure protected folders* +- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enable or disable file hash computation feature. + +Enabled: +When this feature is enabled Microsoft Defender will compute hash value for files it scans. + +Disabled: +File hash value is not computed + +Not configured: +Same as Disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable file hash computation feature* +- GP name: *MpEngine_EnableFileHashComputation* +- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. + +If you enable or do not configure this setting, definition retirement will be enabled. + +If you disable this setting, definition retirement will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on definition retirement* +- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify additional definition sets for network traffic inspection* +- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. + +If you enable or do not configure this setting, protocol recognition will be enabled. + +If you disable this setting, protocol recognition will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on protocol recognition* +- GP name: *Nis_DisableProtocolRecognition* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ProxyBypass** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. + +If you enable this setting, the proxy server will be bypassed for the specified addresses. + +If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define addresses to bypass proxy server* +- GP name: *ProxyBypass* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): + +1. Proxy server (if specified) +2. Proxy .pac URL (if specified) +3. None +4. Internet Explorer proxy settings +5. Autodetect + +If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. + +If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define proxy auto-config (.pac) for connecting to the network* +- GP name: *ProxyPacUrl* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ProxyServer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): + +1. Proxy server (if specified) +2. Proxy .pac URL (if specified) +3. None +4. Internet Explorer proxy settings +5. Autodetect + +If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://. + +If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define proxy server for connecting to the network* +- GP name: *ProxyServer* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the removal of items from Quarantine folder* +- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. + +If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure removal of items from Quarantine folder* +- GP name: *Quarantine_PurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. + +If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. + +If you disable this setting, scheduled tasks will begin at the specified start time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Randomize scheduled task times* +- GP name: *RandomizeScheduleTaskTimes* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure behavior monitoring. + +If you enable or do not configure this setting, behavior monitoring will be enabled. + +If you disable this setting, behavior monitoring will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on behavior monitoring* +- GP name: *RealtimeProtection_DisableBehaviorMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for all downloaded files and attachments. + +If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. + +If you disable this setting, scanning for all downloaded files and attachments will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan all downloaded files and attachments* +- GP name: *RealtimeProtection_DisableIOAVProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure monitoring for file and program activity. + +If you enable or do not configure this setting, monitoring for file and program activity will be enabled. + +If you disable this setting, monitoring for file and program activity will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Monitor file and program activity on your computer* +- GP name: *RealtimeProtection_DisableOnAccessProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether raw volume write notifications are sent to behavior monitoring. + +If you enable or do not configure this setting, raw write notifications will be enabled. + +If you disable this setting, raw write notifications be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on raw volume write notifications* +- GP name: *RealtimeProtection_DisableRawWriteNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. + +If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. + +If you disable this setting, a process scan will not be initiated when real-time protection is turned on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on process scanning whenever real-time protection is enabled* +- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. + +If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. + +If you disable or do not configure this setting, a default size will be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the maximum size of downloaded files and attachments to be scanned* +- GP name: *RealtimeProtection_IOAVMaxSize* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for turn on behavior monitoring* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scanning all downloaded files and attachments* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for monitoring file and program activity on your computer* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override to turn on real-time protection* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity* +- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation* +- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never (default) + +If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation* +- GP name: *Remediation_Scan_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation* +- GP name: *Remediation_Scan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections requiring additional action* +- GP name: *Reporting_AdditionalActionTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in critically failed state* +- GP name: *Reporting_CriticalFailureTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. + +If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. + +If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off enhanced notifications* +- GP name: *Reporting_DisableEnhancedNotifications* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not Watson events are sent. + +If you enable or do not configure this setting, Watson events will be sent. + +If you disable this setting, Watson events will not be sent. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Watson events* +- GP name: *Reporting_DisablegenericrePorts* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in non-critical failed state* +- GP name: *Reporting_NonCriticalTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in recently remediated state* +- GP name: *Reporting_RecentlyCleanedTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy configures Windows software trace preprocessor (WPP Software Tracing) components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Windows software trace preprocessor components* +- GP name: *Reporting_WppTracingComponents* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). + +Tracing levels are defined as: + +- 1 - Error +- 2 - Warning +- 3 - Info +- 4 - Debug + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure WPP tracing level* +- GP name: *Reporting_WppTracingLevel* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not end users can pause a scan in progress. + +If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. + +If you disable this setting, users will not be able to pause scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to pause scan* +- GP name: *Scan_AllowPause* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. + +If you enable this setting, archive files will be scanned to the directory depth level specified. + +If you disable or do not configure this setting, archive files will be scanned to the default directory depth level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum depth to scan archive files* +- GP name: *Scan_ArchiveMaxDepth* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. + +If you enable this setting, archive files less than or equal to the size specified will be scanned. + +If you disable or do not configure this setting, archive files will be scanned according to the default value. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum size of archive files to be scanned* +- GP name: *Scan_ArchiveMaxSize* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. + +If you enable or do not configure this setting, archive files will be scanned. + +If you disable this setting, archive files will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan archive files* +- GP name: *Scan_DisableArchiveScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). + +If you enable this setting, e-mail scanning will be enabled. + +If you disable or do not configure this setting, e-mail scanning will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on e-mail scanning* +- GP name: *Scan_DisableEmailScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. + +If you enable or do not configure this setting, heuristics will be enabled. + +If you disable this setting, heuristics will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on heuristics* +- GP name: *Scan_DisableHeuristics* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. + +If you enable or do not configure this setting, packed executables will be scanned. + +If you disable this setting, packed executables will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan packed executables* +- GP name: *Scan_DisablePackedExeScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. + +If you enable this setting, removable drives will be scanned during any type of scan. + +If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan removable drives* +- GP name: *Scan_DisableRemovableDriveScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. + +If you enable this setting, reparse point scanning will be enabled. + +If you disable or do not configure this setting, reparse point scanning will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on reparse point scanning* +- GP name: *Scan_DisableReparsePointScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. + +If you enable this setting, a system restore point will be created. + +If you disable or do not configure this setting, a system restore point will not be created. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Create a system restore point* +- GP name: *Scan_DisableRestorePoint* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning mapped network drives. + +If you enable this setting, mapped network drives will be scanned. + +If you disable or do not configure this setting, mapped network drives will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run full scan on mapped network drives* +- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +If you enable this setting, network files will be scanned. + +If you disable or do not configure this setting, network files will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan network files* +- GP name: *Scan_DisableScanningNetworkFiles* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for maximum percentage of CPU utilization* +- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the scan type to use for a scheduled scan* +- GP name: *Scan_LocalSettingOverrideScanParameters* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for schedule scan day* +- GP name: *Scan_LocalSettingOverrideScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scheduled quick scan time* +- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scheduled scan time* +- GP name: *Scan_LocalSettingOverrideScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable low CPU priority for scheduled scans. + +If you enable this setting, low CPU priority will be used during scheduled scans. + +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure low CPU priority for scheduled scans* +- GP name: *Scan_LowCpuPriority* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. + +If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. + +If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days after which a catch-up scan is forced* +- GP name: *Scan_MissedScheduledScanCountBeforeCatchup* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. + +If you enable this setting, items will be removed from the scan history folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on removal of items from scan history folder* +- GP name: *Scan_PurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. + +If you enable this setting, a quick scan will run at the interval specified. + +If you disable or do not configure this setting, a quick scan will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the interval to run quick scans per day* +- GP name: *Scan_QuickScanInterval* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. + +If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. + +If you disable this setting, scheduled scans will run at the scheduled time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start the scheduled scan only when computer is on but not in use* +- GP name: *Scan_ScanOnlyIfIdle* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never (default) + +If you enable this setting, a scheduled scan will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to run a scheduled scan* +- GP name: *Scan_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled scan will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time of day to run a scheduled scan* +- GP name: *Scan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. + +If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled. + +If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow antimalware service to remain running always* +- GP name: *ServiceKeepAlive* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. + +If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. + +If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days before spyware security intelligence is considered out of date* +- GP name: *SignatureUpdate_ASSignatureDue* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. + +If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. + +If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days before virus security intelligence is considered out of date* +- GP name: *SignatureUpdate_AVSignatureDue* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define file shares for downloading security intelligence updates* +- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. + +If you enable or do not configure this setting, a scan will start following a security intelligence update. + +If you disable this setting, a scan will not start following a security intelligence update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on scan after security intelligence update* +- GP name: *SignatureUpdate_DisableScanOnUpdate* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates when the computer is running on battery power. + +If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state. + +If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow security intelligence updates when running on battery power* +- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. + +If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present. + +If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Initiate security intelligence update on startup* +- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the order of sources for downloading security intelligence updates* +- GP name: *SignatureUpdate_FallbackOrder* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. + +If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. + +If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow security intelligence updates from Microsoft Update* +- GP name: *SignatureUpdate_ForceUpdateFromMU* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. + +If you enable or do not configure this setting, real-time security intelligence updates will be enabled. + +If you disable this setting, real-time security intelligence updates will disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS* +- GP name: *SignatureUpdate_RealtimeSignatureDelivery* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day (default) +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never + +If you enable this setting, the check for security intelligence updates will occur at the frequency specified. + +If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to check for security intelligence updates* +- GP name: *SignatureUpdate_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. + +If you enable this setting, the check for security intelligence updates will occur at the time of day specified. + +If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time to check for security intelligence updates* +- GP name: *SignatureUpdate_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the security intelligence location for VDI-configured computers. + +If you disable or do not configure this setting, security intelligence will be referred from the default local source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define security intelligence location for VDI clients.* +- GP name: *SignatureUpdate_SharedSignaturesLocation* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. + +If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence. + +If you disable this setting, the antimalware service will not receive notifications to disable security intelligence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS* +- GP name: *SignatureUpdate_SignatureDisableNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. + +If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. + +If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days after which a catch-up security intelligence update is required* +- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. + +If you enable this setting, a check for new security intelligence will occur after service startup. + +If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Check for the latest virus and spyware security intelligence on startup* +- GP name: *SignatureUpdate_UpdateOnStartup* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SpynetReporting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. + +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. + +Possible options are: + +- (0x0) Disabled (default) +- (0x1) Basic membership +- (0x2) Advanced membership + +Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. + +Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. + +If you enable this setting, you will join Microsoft MAPS with the membership specified. + +If you disable or do not configure this setting, you will not join Microsoft MAPS. + +In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Join Microsoft MAPS* +- GP name: *SpynetReporting* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for reporting to Microsoft MAPS* +- GP name: *Spynet_LocalSettingOverrideSpynetReporting* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. + +Valid remediation action values are: + +- 2 = Quarantine +- 3 = Remove +- 6 = Ignore + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify threats upon which default action should not be taken when detected* +- GP name: *Threats_ThreatIdDefaultAction* +- GP path: *Windows Components\Microsoft Defender Antivirus\Threats* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. + +If you enable this setting, the additional text specified will be displayed. + +If you disable or do not configure this setting, there will be no additional text displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display additional text to clients when they need to perform an action* +- GP name: *UX_Configuration_CustomDefaultActionToastString* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. + +If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients. + +If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suppress all notifications* +- GP name: *UX_Configuration_Notification_Suppress* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). + +If you enable this setting AM UI won't show reboot notifications. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suppresses reboot notifications* +- GP name: *UX_Configuration_SuppressRebootNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display AM UI to the users. + +If you enable this setting AM UI won't be available to users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable headless UI mode* +- GP name: *UX_Configuration_UILockdown* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index a86907a534..dc9f501685 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -86,7 +86,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -165,7 +165,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -244,7 +244,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -323,7 +323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from entering author mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. @@ -396,7 +396,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. - If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. @@ -432,14 +432,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index cdd93c1d97..dcbb289b4b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -383,7 +383,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -460,7 +460,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -538,7 +538,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -616,7 +616,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -694,7 +694,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -772,7 +772,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -850,7 +850,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -928,7 +928,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1006,7 +1006,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1084,7 +1084,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1162,7 +1162,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1240,7 +1240,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1317,7 +1317,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1394,7 +1394,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1471,7 +1471,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1548,7 +1548,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1625,7 +1625,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1702,7 +1702,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1779,7 +1779,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1856,7 +1856,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1933,7 +1933,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2010,7 +2010,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2087,7 +2087,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2164,7 +2164,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2241,7 +2241,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2318,7 +2318,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2395,7 +2395,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2472,7 +2472,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2549,7 +2549,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2627,7 +2627,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2704,7 +2704,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2781,7 +2781,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2858,7 +2858,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2935,7 +2935,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3012,7 +3012,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3089,7 +3089,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3166,7 +3166,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3243,7 +3243,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. @@ -3322,7 +3322,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3399,7 +3399,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3476,7 +3476,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3553,7 +3553,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3630,7 +3630,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3707,7 +3707,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3784,7 +3784,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3861,7 +3861,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3938,7 +3938,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4015,7 +4015,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4092,7 +4092,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4169,7 +4169,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4246,7 +4246,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4323,7 +4323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4400,7 +4400,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4477,7 +4477,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4554,7 +4554,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4631,7 +4631,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4708,7 +4708,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4785,7 +4785,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4862,7 +4862,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4939,7 +4939,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5016,7 +5016,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5093,7 +5093,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5170,7 +5170,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5247,7 +5247,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5324,7 +5324,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5401,7 +5401,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5478,7 +5478,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5555,7 +5555,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5632,7 +5632,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5709,7 +5709,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5786,7 +5786,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5863,7 +5863,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5940,7 +5940,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6017,7 +6017,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6094,7 +6094,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6171,7 +6171,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6248,7 +6248,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6325,7 +6325,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6402,7 +6402,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6479,7 +6479,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6556,7 +6556,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6633,7 +6633,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6710,7 +6710,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6787,7 +6787,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6864,7 +6864,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6941,7 +6941,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7018,7 +7018,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7095,7 +7095,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7172,7 +7172,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7249,7 +7249,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7326,7 +7326,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7403,7 +7403,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7480,7 +7480,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7557,7 +7557,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7634,7 +7634,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7711,7 +7711,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7788,7 +7788,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7865,7 +7865,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7942,7 +7942,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8019,7 +8019,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8096,7 +8096,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8173,7 +8173,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8250,7 +8250,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8327,7 +8327,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8404,7 +8404,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8437,14 +8437,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index e8c35ac22e..3532d29c56 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md new file mode 100644 index 0000000000..c5cb159658 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_msched +description: Policy CSP - ADMX_msched +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_msched +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_msched policies + +
    +
    + ADMX_msched/ActivationBoundaryPolicy +
    +
    + ADMX_msched/RandomDelayPolicy +
    +
    + + +
    + + +**ADMX_msched/ActivationBoundaryPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts. + +If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. + +If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatic Maintenance Activation Boundary* +- GP name: *ActivationBoundaryPolicy* +- GP path: *Windows Components\Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +
    + + +**ADMX_msched/RandomDelayPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation random delay. + +The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. + +If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by up to this time. + +If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. + +If you disable this policy setting, no random delay will be applied to Automatic Maintenance. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatic Maintenance Random Delay* +- GP name: *RandomDelayPolicy* +- GP path: *Windows Components\Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +
    + + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md new file mode 100644 index 0000000000..e6ab53acce --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -0,0 +1,289 @@ +--- +title: Policy CSP - ADMX_MSDT +description: Policy CSP - ADMX_MSDT +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MSDT +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_MSDT policies + +
    +
    + ADMX_MSDT/MsdtSupportProvider +
    +
    + ADMX_MSDT/MsdtToolDownloadPolicy +
    +
    + ADMX_MSDT/WdiScenarioExecutionPolicy +
    +
    + + +
    + + +**ADMX_MSDT/MsdtSupportProvider** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. + +If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. + +By default, the support provider is set to Microsoft Corporation. + +If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. + +If you do not configure this policy setting, MSDT support mode is enabled by default. + +No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider* +- GP name: *MsdtSupportProvider* +- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* +- GP ADMX file name: *MSDT.admx* + + + +
    + + +**ADMX_MSDT/MsdtToolDownloadPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. + +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. + +For some problems, MSDT may prompt the user to download additional tools for troubleshooting. These tools are required to completely troubleshoot the problem. + +If tool download is restricted, it may not be possible to find the root cause of the problem. + +If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. + +If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. + +If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. + +If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + +This policy setting will take effect only when MSDT is enabled. + +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. + +When the service is stopped or disabled, diagnostic scenarios are not executed. + +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Support Diagnostic Tool: Restrict tool download* +- GP name: *MsdtToolDownloadPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* +- GP ADMX file name: *MSDT.admx* + + + +
    + + +**ADMX_MSDT/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Microsoft Support Diagnostic Tool. + +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. + +If you disable this policy setting, MSDT cannot gather diagnostic data. If you do not configure this policy setting, MSDT is turned on by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Support Diagnostic Tool: Configure execution level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* +- GP ADMX file name: *MSDT.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md new file mode 100644 index 0000000000..3e2094f298 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -0,0 +1,1875 @@ +--- +title: Policy CSP - ADMX_MSI +description: Policy CSP - ADMX_MSI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/16/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MSI +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_MSI policies + +
    +
    + ADMX_MSI/AllowLockdownBrowse +
    +
    + ADMX_MSI/AllowLockdownMedia +
    +
    + ADMX_MSI/AllowLockdownPatch +
    +
    + ADMX_MSI/DisableAutomaticApplicationShutdown +
    +
    + ADMX_MSI/DisableBrowse +
    +
    + ADMX_MSI/DisableFlyweightPatching +
    +
    + ADMX_MSI/DisableLoggingFromPackage +
    +
    + ADMX_MSI/DisableMSI +
    +
    + ADMX_MSI/DisableMedia +
    +
    + ADMX_MSI/DisablePatch +
    +
    + ADMX_MSI/DisableRollback_1 +
    +
    + ADMX_MSI/DisableRollback_2 +
    +
    + ADMX_MSI/DisableSharedComponent +
    +
    + ADMX_MSI/MSILogging +
    +
    + ADMX_MSI/MSI_DisableLUAPatching +
    +
    + ADMX_MSI/MSI_DisablePatchUninstall +
    +
    + ADMX_MSI/MSI_DisableSRCheckPoints +
    +
    + ADMX_MSI/MSI_DisableUserInstalls +
    +
    + ADMX_MSI/MSI_EnforceUpgradeComponentRules +
    +
    + ADMX_MSI/MSI_MaxPatchCacheSize +
    +
    + ADMX_MSI/MsiDisableEmbeddedUI +
    +
    + ADMX_MSI/SafeForScripting +
    +
    + ADMX_MSI/SearchOrder +
    +
    + ADMX_MSI/TransformsSecure +
    +
    + +
    + + +**ADMX_MSI/AllowLockdownBrowse** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to search for installation files during privileged installations. + +If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. + +Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow. + +This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. + +If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to browse for source while elevated* +- GP name: *AllowLockdownBrowse* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/AllowLockdownMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to install programs from removable media during privileged installations. + +If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. + +This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. + +If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. + +Also, see the "Prevent removable media source for any install" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to use media source while elevated* +- GP name: *AllowLockdownMedia* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/AllowLockdownPatch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to patch elevated products. + +If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. + +If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. + +This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to patch elevated products* +- GP name: *AllowLockdownPatch* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableAutomaticApplicationShutdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. + +If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. + +- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. + +- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. + +- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. + +If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit use of Restart Manager* +- GP name: *DisableAutomaticApplicationShutdown* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableBrowse** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from searching for installation files when they add features or components to an installed program. + +If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. + +This policy setting applies even when the installation is running in the user's security context. + +If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. + +This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. + +Also, see the "Enable user to browse for source while elevated" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove browse dialog box for new source* +- GP name: *DisableBrowse* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableFlyweightPatching** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off all patch optimizations. + +If you enable this policy setting, all Patch Optimization options are turned off during the installation. + +If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit flyweight patching* +- GP name: *DisableFlyweightPatching* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableLoggingFromPackage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. + +If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. + +- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. + +- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. + +If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off logging via package settings* +- GP name: *DisableLoggingFromPackage* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableMSI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the use of Windows Installer. + +If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. + +- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. + +- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. + +- The "Always" option indicates that Windows Installer is disabled. + +This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Installer* +- GP name: *DisableMSI* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from installing any programs from removable media. + +If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. + +This policy setting applies even when the installation is running in the user's security context. + +If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. + +Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent removable media source for any installation* +- GP name: *DisableMedia* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisablePatch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Windows Installer to install patches. + +If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. + +> [!NOTE] +> This policy setting applies only to installations that run in the user's security context. + +If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. + +Also, see the "Enable user to patch elevated products" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from using Windows Installer to install updates and upgrades* +- GP name: *DisablePatch* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableRollback_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. + +If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. + +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. + +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit rollback* +- GP name: *DisableRollback_1* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableRollback_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. + +If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. + +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. + +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit rollback* +- GP name: *DisableRollback_2* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableSharedComponent** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off shared components. + +If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. + +If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off shared components* +- GP name: *DisableSharedComponent* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/MSILogging** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. + +When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. + +To disable logging, delete all of the letters from the box. + +If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the types of events Windows Installer records in its transaction log* +- GP name: *MSILogging* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisableLUAPatching** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. + +Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. + +If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. + +If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit non-administrators from applying vendor signed updates* +- GP name: *MSI_DisableLUAPatching* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisablePatchUninstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability for users or administrators to remove Windows Installer based updates. + +This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. + +If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. + +If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit removal of updates* +- GP name: *MSI_DisablePatchUninstall* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisableSRCheckPoints** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. + +If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. + +If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off creation of System Restore checkpoints* +- GP name: *MSI_DisableSRCheckPoints* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisableUserInstalls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. + +If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. + +If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit User Installs* +- GP name: *MSI_DisableUserInstalls* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_EnforceUpgradeComponentRules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting causes the Windows Installer to enforce strict rules for component upgrades. + +If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: + +(1) Remove a component from a feature. +This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. + +(2) Add a new feature to the top or middle of an existing feature tree. +The new feature must be added as a new leaf feature to an existing feature tree. + +If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enforce upgrade component rules* +- GP name: *MSI_EnforceUpgradeComponentRules* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/MSI_MaxPatchCacheSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls the percentage of disk space available to the Windows Installer baseline file cache. + +The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. + +If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. + +If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. + +If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. + +If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control maximum size of baseline file cache* +- GP name: *MSI_MaxPatchCacheSize* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/MsiDisableEmbeddedUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to prevent embedded UI. + +If you enable this policy setting, no packages on the system can run embedded UI. + +If you disable or do not configure this policy setting, embedded UI is allowed to run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent embedded UI* +- GP name: *MsiDisableEmbeddedUI* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/SafeForScripting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows Web-based programs to install software on the computer without notifying the user. + +If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. + +If you enable this policy setting, the warning is suppressed and allows the installation to proceed. + +This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Internet Explorer security prompt for Windows Installer scripts* +- GP name: *SafeForScripting* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/SearchOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the order in which Windows Installer searches for installation files. + +If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). + +If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: + +- "n" represents the network +- "m" represents media +- "u" represents URL, or the Internet + +To exclude a file source, omit or delete the letter representing that source type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the order in which Windows Installer searches for installation files* +- GP name: *SearchOrder* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/TransformsSecure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting saves copies of transform files in a secure location on the local computer. + +Transform files consist of instructions to modify or customize a program during installation. + +If you enable this policy setting, the transform file is saved in a secure location on the user's computer. + +If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. + +This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files. + +If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. + +If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Save copies of transform files in a secure location on workstation* +- GP name: *TransformsSecure* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + +
    + + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 840af17067..aaa011b575 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -95,7 +95,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: @@ -174,7 +174,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. > [!TIP] @@ -239,7 +239,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. @@ -310,7 +310,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. @@ -377,7 +377,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. @@ -453,7 +453,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether NCA service runs in Passive Mode or not. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. @@ -519,7 +519,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. @@ -588,7 +588,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. @@ -613,14 +613,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 3e575f3fdf..2dc203705f 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -92,7 +92,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. > [!TIP] @@ -157,7 +157,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. > [!TIP] @@ -222,7 +222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. > [!TIP] @@ -287,7 +287,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. > [!TIP] @@ -355,7 +355,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. > [!TIP] @@ -420,7 +420,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. > [!TIP] @@ -485,7 +485,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. +Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. > [!TIP] @@ -508,14 +508,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 782b57ba8c..45405c7cc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -176,7 +176,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. @@ -253,7 +253,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. @@ -328,7 +328,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. @@ -401,7 +401,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. @@ -476,7 +476,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. @@ -551,7 +551,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. @@ -624,7 +624,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. @@ -700,7 +700,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. @@ -775,7 +775,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. The default value for this setting is 10 minutes (10*60). @@ -853,7 +853,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. @@ -933,7 +933,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. @@ -1005,7 +1005,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). > [!TIP] @@ -1072,7 +1072,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the level of debug output for the Net Logon service. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. @@ -1147,7 +1147,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. @@ -1246,7 +1246,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. @@ -1322,7 +1322,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -1398,7 +1398,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). @@ -1468,7 +1468,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). @@ -1539,7 +1539,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. @@ -1614,7 +1614,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. @@ -1687,7 +1687,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). > [!NOTE] > To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. @@ -1763,7 +1763,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. @@ -1836,7 +1836,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. @@ -1909,7 +1909,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. @@ -1980,7 +1980,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2053,7 +2053,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. @@ -2125,7 +2125,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2203,7 +2203,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). @@ -2272,7 +2272,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. @@ -2350,7 +2350,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the interval at which Netlogon performs the following scavenging operations: +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. @@ -2427,7 +2427,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2500,7 +2500,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Active Directory site to which computers belong. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2573,7 +2573,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2651,7 +2651,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. @@ -2726,7 +2726,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. @@ -2755,14 +2755,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index b2d54403e7..7e542154a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -2187,13 +2187,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index abd5e758fc..27b56e21e6 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -209,7 +209,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -280,7 +280,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -354,7 +354,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -428,7 +428,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. @@ -499,7 +499,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. @@ -580,7 +580,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -664,7 +664,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -748,7 +748,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. +Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -828,7 +828,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. +Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. If you enable this policy setting, Offline Files is enabled and users cannot disable it. @@ -902,7 +902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are encrypted. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. @@ -979,7 +979,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines which events the Offline Files feature records in the event log. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1059,7 +1059,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines which events the Offline Files feature records in the event log. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1139,7 +1139,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. @@ -1208,7 +1208,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Lists types of files that cannot be used offline. +Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline. This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." @@ -1282,7 +1282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1366,7 +1366,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1450,7 +1450,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting disables the Offline Files folder. +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1524,7 +1524,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting disables the Offline Files folder. +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1598,7 +1598,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1672,7 +1672,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1746,7 +1746,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from making network files and folders available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1819,7 +1819,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from making network files and folders available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1892,7 +1892,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1969,7 +1969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -2046,7 +2046,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Hides or displays reminder balloons, and prevents users from changing the setting. +Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2126,7 +2126,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Hides or displays reminder balloons, and prevents users from changing the setting. +Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2206,7 +2206,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. @@ -2279,7 +2279,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -2350,7 +2350,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting deletes local copies of the user's offline files when the user logs off. +Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. @@ -2422,7 +2422,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn on economical application of administratively assigned Offline Files. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. @@ -2491,7 +2491,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how often reminder balloon updates appear. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2565,7 +2565,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how often reminder balloon updates appear. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2639,7 +2639,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the first reminder balloon for a network status change is displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. @@ -2708,7 +2708,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the first reminder balloon for a network status change is displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. @@ -2777,7 +2777,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long updated reminder balloons are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. @@ -2846,7 +2846,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long updated reminder balloons are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. @@ -2915,7 +2915,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. @@ -2994,7 +2994,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. @@ -3068,7 +3068,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log off. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3146,7 +3146,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log off. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3224,7 +3224,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log on. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3304,7 +3304,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log on. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3382,7 +3382,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized before a computer is suspended. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3454,7 +3454,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized before a computer is suspended. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3526,7 +3526,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. @@ -3595,7 +3595,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. @@ -3664,7 +3664,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. @@ -3691,14 +3691,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 426fcbe069..ed16a33a35 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -97,7 +97,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode - Set BranchCache Hosted Cache mode @@ -177,7 +177,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. @@ -255,7 +255,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. @@ -339,7 +339,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. @@ -426,7 +426,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. @@ -509,7 +509,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. +Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. Policy configuration @@ -586,7 +586,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. @@ -670,7 +670,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. @@ -751,7 +751,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." @@ -793,13 +793,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index f02fb046cc..0e39a89004 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Boot Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. @@ -160,7 +160,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -237,7 +237,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. @@ -314,7 +314,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -349,14 +349,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md new file mode 100644 index 0000000000..3d1a58a8f1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -0,0 +1,1882 @@ +--- +title: Policy CSP - ADMX_Power +description: Policy CSP - ADMX_Power +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Power +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Power policies + +
    +
    + ADMX_Power/ACConnectivityInStandby_2 +
    +
    + ADMX_Power/ACCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/ACStartMenuButtonAction_2 +
    +
    + ADMX_Power/AllowSystemPowerRequestAC +
    +
    + ADMX_Power/AllowSystemPowerRequestDC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC +
    +
    + ADMX_Power/CustomActiveSchemeOverride_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction0_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction1_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel0_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1UINotification_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1_2 +
    +
    + ADMX_Power/DCConnectivityInStandby_2 +
    +
    + ADMX_Power/DCCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/DCStartMenuButtonAction_2 +
    +
    + ADMX_Power/DiskACPowerDownTimeOut_2 +
    +
    + ADMX_Power/DiskDCPowerDownTimeOut_2 +
    +
    + ADMX_Power/Dont_PowerOff_AfterShutdown +
    +
    + ADMX_Power/EnableDesktopSlideShowAC +
    +
    + ADMX_Power/EnableDesktopSlideShowDC +
    +
    + ADMX_Power/InboxActiveSchemeOverride_2 +
    +
    + ADMX_Power/PW_PromptPasswordOnResume +
    +
    + ADMX_Power/PowerThrottlingTurnOff +
    +
    + ADMX_Power/ReserveBatteryNotificationLevel +
    +
    + + +
    + + +**ADMX_Power/ACConnectivityInStandby_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. + +If you enable this policy setting, network connectivity will be maintained in standby. + +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. + +If you do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow network connectivity during connected-standby (plugged in)* +- GP name: *ACConnectivityInStandby_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/ACCriticalSleepTransitionsDisable_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. + +If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on the ability for applications to prevent sleep transitions (plugged in)* +- GP name: *ACCriticalSleepTransitionsDisable_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/ACStartMenuButtonAction_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. + +If you enable this policy setting, select one of the following actions: + +- Sleep +- Hibernate +- Shut down + +If you disable this policy or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Start menu Power button action (plugged in)* +- GP name: *ACStartMenuButtonAction_2* +- GP path: *System\Power Management\Button Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemPowerRequestAC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. + +If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. + +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow applications to prevent automatic sleep (plugged in)* +- GP name: *AllowSystemPowerRequestAC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemPowerRequestDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. + +If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. + +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow applications to prevent automatic sleep (on battery)* +- GP name: *AllowSystemPowerRequestDC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. + +If you enable this policy setting, the computer automatically sleeps when network files are open. + +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow automatic sleep with Open Network Files (plugged in)* +- GP name: *AllowSystemSleepWithRemoteFilesOpenAC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. + +If you enable this policy setting, the computer automatically sleeps when network files are open. + +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow automatic sleep with Open Network Files (on battery)* +- GP name: *AllowSystemSleepWithRemoteFilesOpenDC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/CustomActiveSchemeOverride_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. + +If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify a custom active power plan* +- GP name: *CustomActiveSchemeOverride_2* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeAction0_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. + +If you enable this policy setting, select one of the following actions: + +- Take no action +- Sleep +- Hibernate +- Shut down + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Critical battery notification action* +- GP name: *DCBatteryDischargeAction0_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeAction1_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. + +If you enable this policy setting, select one of the following actions: + +- Take no action +- Sleep +- Hibernate +- Shut down + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Low battery notification action* +- GP name: *DCBatteryDischargeAction1_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeLevel0_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. + +To set the action that is triggered, see the "Critical Battery Notification Action" policy setting. + +If you disable this policy setting or do not configure it, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Critical battery notification level* +- GP name: *DCBatteryDischargeLevel0_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeLevel1UINotification_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. + +If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. + +To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. + +The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". + +If you disable or do not configure this policy setting, users can control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off low battery user notification* +- GP name: *DCBatteryDischargeLevel1UINotification_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeLevel1_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. + +To set the action that is triggered, see the "Low Battery Notification Action" policy setting. + +If you disable this policy setting or do not configure it, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Low battery notification level* +- GP name: *DCBatteryDischargeLevel1_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCConnectivityInStandby_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. + +If you enable this policy setting, network connectivity will be maintained in standby. + +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. + +If you do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow network connectivity during connected-standby (on battery)* +- GP name: *DCConnectivityInStandby_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCCriticalSleepTransitionsDisable_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. + +If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on the ability for applications to prevent sleep transitions (on battery)* +- GP name: *DCCriticalSleepTransitionsDisable_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCStartMenuButtonAction_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. + +If you enable this policy setting, select one of the following actions: + +- Sleep +- Hibernate +- Shut down + +If you disable this policy or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Start menu Power button action (on battery)* +- GP name: *DCStartMenuButtonAction_2* +- GP path: *System\Power Management\Button Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DiskACPowerDownTimeOut_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off the hard disk (plugged in)* +- GP name: *DiskACPowerDownTimeOut_2* +- GP path: *System\Power Management\Hard Disk Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DiskDCPowerDownTimeOut_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off the hard disk (on battery)* +- GP name: *DiskDCPowerDownTimeOut_2* +- GP path: *System\Power Management\Hard Disk Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/Dont_PowerOff_AfterShutdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. + +This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. + +Applications such as UPS software may rely on Windows shutdown behavior. + +This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown(). + +If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. + +If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not turn off system power after a Windows system shutdown has occurred.* +- GP name: *Dont_PowerOff_AfterShutdown* +- GP path: *System* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/EnableDesktopSlideShowAC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. + +If you enable this policy setting, desktop background slideshow is enabled. + +If you disable this policy setting, the desktop background slideshow is disabled. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on desktop background slideshow (plugged in)* +- GP name: *EnableDesktopSlideShowAC* +- GP path: *System\Power Management\Video and Display Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/EnableDesktopSlideShowDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. + +If you enable this policy setting, desktop background slideshow is enabled. + +If you disable this policy setting, the desktop background slideshow is disabled. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on desktop background slideshow (on battery)* +- GP name: *EnableDesktopSlideShowDC* +- GP path: *System\Power Management\Video and Display Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/InboxActiveSchemeOverride_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. + +If you enable this policy setting, specify a power plan from the Active Power Plan list. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select an active power plan* +- GP name: *InboxActiveSchemeOverride_2* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/PW_PromptPasswordOnResume** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. + +If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. + +If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prompt for password on resume from hibernate/suspend* +- GP name: *PW_PromptPasswordOnResume* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/PowerThrottlingTurnOff** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling. + +If you enable this policy setting, Power Throttling will be turned off. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Power Throttling* +- GP name: *PowerThrottlingTurnOff* +- GP path: *System\Power Management\Power Throttling Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/ReserveBatteryNotificationLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Reserve battery notification level* +- GP name: *ReserveBatteryNotificationLevel* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 7113d20ba1..5880faae13 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -339,13 +339,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md new file mode 100644 index 0000000000..e97cb3df92 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -0,0 +1,2028 @@ +--- +title: Policy CSP - ADMX_Printing +description: Policy CSP - ADMX_Printing +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/15/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Printing +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Printing policies + +
    +
    + ADMX_Printing/AllowWebPrinting +
    +
    + ADMX_Printing/ApplicationDriverIsolation +
    +
    + ADMX_Printing/CustomizedSupportUrl +
    +
    + ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate +
    +
    + ADMX_Printing/DomainPrinters +
    +
    + ADMX_Printing/DownlevelBrowse +
    +
    + ADMX_Printing/EMFDespooling +
    +
    + ADMX_Printing/ForceSoftwareRasterization +
    +
    + ADMX_Printing/IntranetPrintersUrl +
    +
    + ADMX_Printing/KMPrintersAreBlocked +
    +
    + ADMX_Printing/LegacyDefaultPrinterMode +
    +
    + ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS +
    +
    + ADMX_Printing/NoDeletePrinter +
    +
    + ADMX_Printing/NonDomainPrinters +
    +
    + ADMX_Printing/PackagePointAndPrintOnly +
    +
    + ADMX_Printing/PackagePointAndPrintOnly_Win7 +
    +
    + ADMX_Printing/PackagePointAndPrintServerList +
    +
    + ADMX_Printing/PackagePointAndPrintServerList_Win7 +
    +
    + ADMX_Printing/PhysicalLocation +
    +
    + ADMX_Printing/PhysicalLocationSupport +
    +
    + ADMX_Printing/PrintDriverIsolationExecutionPolicy +
    +
    + ADMX_Printing/PrintDriverIsolationOverrideCompat +
    +
    + ADMX_Printing/PrinterDirectorySearchScope +
    +
    + ADMX_Printing/PrinterServerThread +
    +
    + ADMX_Printing/ShowJobTitleInEventLogs +
    +
    + ADMX_Printing/V4DriverDisallowPrinterExtension +
    +
    + + +
    + + +**ADMX_Printing/AllowWebPrinting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. + +If you enable this policy setting, Internet printing is activated on this server. + +If you disable this policy setting or do not configure it, Internet printing is not activated. + +Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing support and this setting must be enabled. + +> [!NOTE] +> This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. + +Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Activate Internet printing* +- GP name: *AllowWebPrinting* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/ApplicationDriverIsolation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. + +Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. + +If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated. + +If you disable this policy setting, then print drivers will be loaded within all associated application processes. + +> [!NOTE] +> - This policy setting applies only to applications opted into isolation. +> - This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected. +> - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Isolate print drivers from applications* +- GP name: *ApplicationDriverIsolation* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/CustomizedSupportUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. + +If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. + +If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder. + +> [!NOTE] +> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") + +Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. + +Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom support URL in the Printers folder's left pane* +- GP name: *CustomizedSupportUrl* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers. + +If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. + +If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail. + +This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. + +By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Extend Point and Print connection to search Windows Update* +- GP name: *DoNotInstallCompatibleDriverFromWindowsUpdate* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/DomainPrinters** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) + +If this policy setting is disabled, the network scan page will not be displayed. + +If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type: + +- Directory printers: 20 +- TCP/IP printers: 0 +- Web Services printers: 0 +- Bluetooth printers: 10 +- Shared printers: 0 + +In order to view available Web Services printers on your network, ensure that network discovery is turned on. To turn on network discovery, click "Start", click "Control Panel", and then click "Network and Internet". On the "Network and Internet" page, click "Network and Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on network discovery", and then click "Save changes". + +If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. + +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. + +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Printer wizard - Network scan page (Managed network)* +- GP name: *DomainPrinters* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/DownlevelBrowse** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers. + +If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. + +If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. + +> [!NOTE] +> This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Browse the network to find printers* +- GP name: *DownlevelBrowse* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/EMFDespooling** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. + +This policy setting only effects printing to a Windows print server. + +If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server. + +If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server. + +If you do not enable this policy setting, the behavior is the same as disabling it. + +> [!NOTE] +> This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. +> +> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior. +> +> In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always render print jobs on the server* +- GP name: *EMFDespooling* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/ForceSoftwareRasterization** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. + +This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always rasterize content to be printed using a software rasterizer* +- GP name: *ForceSoftwareRasterization* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/IntranetPrintersUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard. + +You can use this setting to direct users to a Web page from which they can install printers. + +If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. + +This setting makes it easy for users to find the printers you want them to add. + +Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Browse a common web site to find printers* +- GP name: *IntranetPrintersUrl* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/KMPrintersAreBlocked** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. + +If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. + +If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. + +If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. + +> [!NOTE] +> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow installation of printers using kernel-mode drivers* +- GP name: *KMPrintersAreBlocked* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/LegacyDefaultPrinterMode** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management. + +If you enable this setting, Windows will not manage the default printer. + +If you disable this setting, Windows will manage the default printer. + +If you do not configure this setting, default printer management will not change. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows default printer management* +- GP name: *LegacyDefaultPrinterMode* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. + +If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). + +If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)* +- GP name: *MXDWUseLegacyOutputFormatMSXPS* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/NoDeletePrinter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers. + +If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. + +This setting does not prevent users from running other programs to delete a printer. + +If this policy is disabled, or not configured, users can delete printers using the methods described above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent deletion of printers* +- GP name: *NoDeletePrinter* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/NonDomainPrinters** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) + +If this setting is disabled, the network scan page will not be displayed. + +If this setting is not configured, the Add Printer wizard will display the default number of printers of each type: + +- TCP/IP printers: 50 +- Web Services printers: 50 +- Bluetooth printers: 10 +- Shared printers: 50 + +If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. + +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. + +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Printer wizard - Network scan page (Unmanaged network)* +- GP name: *NonDomainPrinters* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. + +If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Only use Package Point and print* +- GP name: *PackagePointAndPrintOnly* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintOnly_Win7** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. + +If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Only use Package Point and print* +- GP name: *PackagePointAndPrintOnly_Win7* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintServerList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. + +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. + +Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. + +If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Package Point and print - Approved servers* +- GP name: *PackagePointAndPrintServerList* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintServerList_Win7** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. + +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. + +Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. + +If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Package Point and print - Approved servers* +- GP name: *PackagePointAndPrintServerList_Win7* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PhysicalLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers. + +This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. + +When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here overrides the actual location of the computer conducting the search. + +Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. + +If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Computer location* +- GP name: *PhysicalLocation* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PhysicalLocationSupport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers. + +Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. + +If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. + +If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pre-populate printer search location text* +- GP name: *PhysicalLocationSupport* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrintDriverIsolationExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. + +If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. + +If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. + +> [!NOTE] +> - Other system or driver policy settings may alter the process in which a print driver is executed. +> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +> - This policy setting takes effect without restarting the print spooler service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Execute print drivers in isolated processes* +- GP name: *PrintDriverIsolationExecutionPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrintDriverIsolationOverrideCompat** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. + +If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. + +If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. + +> [!NOTE] +> - Other system or driver policy settings may alter the process in which a print driver is executed. +> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +> - This policy setting takes effect without restarting the print spooler service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Override print driver execution compatibility setting reported by print driver* +- GP name: *PrintDriverIsolationOverrideCompat* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrinterDirectorySearchScope** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin. + +The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. + +If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. + +This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default Active Directory path when searching for printers* +- GP name: *PrinterDirectorySearchScope* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrinterServerThread** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain. + +On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. + +If you enable this setting, the print spooler announces shared printers to the print browse master servers. + +If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available. + +If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available. + +> [!NOTE] +> A client license is used each time a client computer announces a printer to a print browse master on the domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Printer browsing* +- GP name: *PrinterServerThread* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/ShowJobTitleInEventLogs** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs. + +If you disable or do not configure this policy setting, the print job name will not be included. + +If you enable this policy setting, the print job name will be included in new log entries. + +> [!NOTE] +> This setting does not apply to Branch Office Direct Printing jobs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow job name in event logs* +- GP name: *ShowJobTitleInEventLogs* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/V4DriverDisallowPrinterExtension** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions. + +V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. + +If you enable this policy setting, then all printer extensions will not be allowed to run. + +If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow v4 printer drivers to show printer extensions* +- GP name: *V4DriverDisallowPrinterExtension* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md new file mode 100644 index 0000000000..8ce369426a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -0,0 +1,741 @@ +--- +title: Policy CSP - ADMX_Printing2 +description: Policy CSP - ADMX_Printing2 +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/15/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Printing2 +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Printing2 policies + +
    +
    + ADMX_Printing2/AutoPublishing +
    +
    + ADMX_Printing2/ImmortalPrintQueue +
    +
    + ADMX_Printing2/PruneDownlevel +
    +
    + ADMX_Printing2/PruningInterval +
    +
    + ADMX_Printing2/PruningPriority +
    +
    + ADMX_Printing2/PruningRetries +
    +
    + ADMX_Printing2/PruningRetryLog +
    +
    + ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint +
    +
    + ADMX_Printing2/VerifyPublishedState +
    +
    + + +
    + + +**ADMX_Printing2/AutoPublishing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. + +If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. + +If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually. + +The default behavior is to automatically publish shared printers in Active Directory. + +> [!NOTE] +> This setting is ignored if the "Allow printers to be published" setting is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically publish new printers in Active Directory* +- GP name: *AutoPublishing* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/ImmortalPrintQueue** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. + +By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. + +If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond. + +If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. + +> [!NOTE] +> You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow pruning of published printers* +- GP name: *ImmortalPrintQueue* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruneDownlevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. + +The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. + +You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-republishing printers" box: + +- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default. + +- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable. + +- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. + +> [!NOTE] +> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. + +> [!TIP] +> If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prune printers that are not automatically republished* +- GP name: *PruneDownlevel* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. + +The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. + +By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory. + +If you enable this setting, you can change the interval between contact attempts. + +If you do not configure or disable this setting the default values will be used. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Directory pruning interval* +- GP name: *PruningInterval* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningPriority** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread. + +The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. + +The thread priority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads. + +By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Directory pruning priority* +- GP name: *PruningPriority* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningRetries** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. + +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. + +By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. + +If you enable this setting, you can change the interval between attempts. + +If you do not configure or disable this setting, the default values are used. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Directory pruning retry* +- GP name: *PruningRetries* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningRetryLog** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. + +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. + +If you enable this policy setting, the contact events are recorded in the event log. + +If you disable or do not configure this policy setting, the contact events are not recorded in the event log. + +Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Log directory pruning retry events* +- GP name: *PruningRetryLog* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections. + +When the policy is not configured or enabled, the spooler will always accept client connections. + +When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. + +The spooler must be restarted for changes to this policy to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow Print Spooler to accept client connections* +- GP name: *RegisterSpoolerRemoteRpcEndPoint* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/VerifyPublishedState** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. + +By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. + +To enable this additional verification, enable this setting, and then select a verification interval. + +To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Check published state* +- GP name: *VerifyPublishedState* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md new file mode 100644 index 0000000000..d7e0d1fec9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -0,0 +1,569 @@ +--- +title: Policy CSP - ADMX_Programs +description: Policy CSP - ADMX_Programs +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Programs +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Programs policies + +
    +
    + ADMX_Programs/NoDefaultPrograms +
    +
    + ADMX_Programs/NoGetPrograms +
    +
    + ADMX_Programs/NoInstalledUpdates +
    +
    + ADMX_Programs/NoProgramsAndFeatures +
    +
    + ADMX_Programs/NoProgramsCPL +
    +
    + ADMX_Programs/NoWindowsFeatures +
    +
    + ADMX_Programs/NoWindowsMarketplace +
    +
    + + +
    + + +**ADMX_Programs/NoDefaultPrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. + +The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. + +If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. + +This setting does not prevent users from using other tools and methods to change program access or defaults. + +This setting does not prevent the Default Programs icon from appearing on the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Set Program Access and Computer Defaults" page* +- GP name: *NoDefaultPrograms* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoGetPrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network. + +This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. + +Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. + +If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. + +If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. + +> [!NOTE] +> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Get Programs" page* +- GP name: *NoGetPrograms* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoInstalledUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. + +"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. + +If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Installed Updates" page* +- GP name: *NoInstalledUpdates* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoProgramsAndFeatures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. + +If this setting is disabled or not configured, "Programs and Features" will be available to all users. + +This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Programs and Features" page* +- GP name: *NoProgramsAndFeatures* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoProgramsCPL** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. + +The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. + +If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. + +When enabled, this setting takes precedence over the other settings in this folder. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the Programs Control Panel* +- GP name: *NoProgramsCPL* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoWindowsFeatures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. + +If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. + +This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Windows Features"* +- GP name: *NoWindowsFeatures* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoWindowsMarketplace** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. + +Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. + +Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. + +If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users. + +> [!NOTE] +> If the "Hide Programs control Panel" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Windows Marketplace"* +- GP name: *NoWindowsMarketplace* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index e466f85f86..398c939856 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. @@ -159,7 +159,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. @@ -234,7 +234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. The system state data file contains information about the basic system state as well as the state of all running processes. @@ -312,7 +312,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. +Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. @@ -348,14 +348,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md new file mode 100644 index 0000000000..692487c12d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -0,0 +1,206 @@ +--- +title: Policy CSP - ADMX_RemoteAssistance +description: Policy CSP - ADMX_RemoteAssistance +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/14/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_RemoteAssistance +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_RemoteAssistance policies + +
    +
    + ADMX_RemoteAssistance/RA_EncryptedTicketOnly +
    +
    + ADMX_RemoteAssistance/RA_Optimize_Bandwidth +
    +
    + + +
    + + +**ADMX_RemoteAssistance/RA_EncryptedTicketOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. + +If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. + +If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. + +If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only Windows Vista or later connections* +- GP name: *RA_EncryptedTicketOnly* +- GP path: *System\Remote Assistance* +- GP ADMX file name: *RemoteAssistance.admx* + + + +
    + + +**ADMX_RemoteAssistance/RA_Optimize_Bandwidth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios. + +This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. + +For example: + +"Turn off background" will include the following optimizations: + +- No full window drag +- Turn off background + +"Full optimization" will include the following optimizations: + +- Use 16-bit color (8-bit color in Windows Vista) +- Turn off font smoothing (not supported in Windows Vista) +- No full window drag +- Turn off background + +If you enable this policy setting, bandwidth optimization occurs at the level specified. + +If you disable this policy setting, application-based settings are used. + +If you do not configure this policy setting, application-based settings are used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on bandwidth optimization* +- GP name: *RA_Optimize_Bandwidth* +- GP path: *System\Remote Assistance* +- GP ADMX file name: *RemoteAssistance.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md new file mode 100644 index 0000000000..6a9c3b8bfa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -0,0 +1,2329 @@ +--- +title: Policy CSP - ADMX_RemovableStorage +description: Policy CSP - ADMX_RemovableStorage +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_RemovableStorage +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_RemovableStorage policies + +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_1 +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +
    +
    + ADMX_RemovableStorage/Removable_Remote_Allow_Access +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +
    +
    + + +
    + + +**ADMX_RemovableStorage/AccessRights_RebootTime_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. + +If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. + +If you disable or do not configure this setting, the operating system does not force a reboot. + +> [!NOTE] +> If no reboot is forced, the access right does not take effect until the operating system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time (in seconds) to force reboot* +- GP name: *AccessRights_RebootTime_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/AccessRights_RebootTime_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. + +If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. + +If you disable or do not configure this setting, the operating system does not force a reboot + +> [!NOTE] +> If no reboot is forced, the access right does not take effect until the operating system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time (in seconds) to force reboot* +- GP name: *AccessRights_RebootTime_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny execute access* +- GP name: *CDandDVD_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny read access* +- GP name: *CDandDVD_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny read access* +- GP name: *CDandDVD_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny write access* +- GP name: *CDandDVD_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny write access* +- GP name: *CDandDVD_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. + +If you enable this policy setting, read access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny read access* +- GP name: *CustomClasses_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. + +If you enable this policy setting, read access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny read access* +- GP name: *CustomClasses_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. + +If you enable this policy setting, write access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny write access* +- GP name: *CustomClasses_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. + +If you enable this policy setting, write access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny write access* +- GP name: *CustomClasses_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny execute access* +- GP name: *FloppyDrives_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny read access* +- GP name: *FloppyDrives_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny read access* +- GP name: *FloppyDrives_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny write access* +- GP name: *FloppyDrives_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny write access* +- GP name: *FloppyDrives_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny execute access* +- GP name: *RemovableDisks_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny read access* +- GP name: *RemovableDisks_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny read access* +- GP name: *RemovableDisks_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!NOTE] +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny write access* +- GP name: *RemovableDisks_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +If you enable this policy setting, no access is allowed to any removable storage class. + +If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *All Removable Storage classes: Deny all access* +- GP name: *RemovableStorageClasses_DenyAll_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +If you enable this policy setting, no access is allowed to any removable storage class. + +If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *All Removable Storage classes: Deny all access* +- GP name: *RemovableStorageClasses_DenyAll_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/Removable_Remote_Allow_Access** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions. + +If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. + +If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *All Removable Storage: Allow direct access in remote sessions* +- GP name: *Removable_Remote_Allow_Access* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny execute access* +- GP name: *TapeDrives_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny read access* +- GP name: *TapeDrives_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny read access* +- GP name: *TapeDrives_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny write access* +- GP name: *TapeDrives_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny write access* +- GP name: *TapeDrives_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md new file mode 100644 index 0000000000..4c77e82fa2 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -0,0 +1,391 @@ +--- +title: Policy CSP - ADMX_RPC +description: Policy CSP - ADMX_RPC +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_RPC +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_RPC policies + +
    +
    + ADMX_RPC/RpcExtendedErrorInformation +
    +
    + ADMX_RPC/RpcIgnoreDelegationFailure +
    +
    + ADMX_RPC/RpcMinimumHttpConnectionTimeout +
    +
    + ADMX_RPC/RpcStateInformation +
    +
    + + +
    + + +**ADMX_RPC/RpcExtendedErrorInformation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC runtime generates extended error information when an error occurs. + +Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs). + +If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. + +If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. + +If you enable this policy setting, the RPC runtime will generate extended error information. + +You must select an error response type in the drop-down box. + +- "Off" disables all extended error information for all processes. RPC only generates an error code. +- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. +- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. +- "On" enables extended error information for all processes. + +> [!NOTE] +> For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). +> +> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. +> +> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. +> +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Propagate extended error information* +- GP name: *RpcExtendedErrorInformation* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + +
    + + +**ADMX_RPC/RpcIgnoreDelegationFailure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. + +The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. + +If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. + +If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. + +If you enable this policy setting, then: + +- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. + +- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. + +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore Delegation Failure* +- GP name: *RpcIgnoreDelegationFailure* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + + +
    + + +**ADMX_RPC/RpcMinimumHttpConnectionTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the idle connection timeout for RPC/HTTP connections. + +This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout. + +This policy setting is only applicable when the RPC Client, the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows, this policy setting will be ignored. + +The minimum allowed value for this policy setting is 90 seconds. The maximum is 7200 seconds (2 hours). + +If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. + +If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. + +If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. + +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Minimum Idle Connection Timeout for RPC/HTTP connections* +- GP name: *RpcMinimumHttpConnectionTimeout* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + +
    + + +**ADMX_RPC/RpcStateInformation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. + +If you disable this policy setting, the RPC runtime defaults to "Auto2" level. + +If you do not configure this policy setting, the RPC defaults to "Auto2" level. + +If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. + +- "None" indicates that the system does not maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. + +- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. + +- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. + +- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. + +- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem. + +> [!NOTE] +> To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. +> +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maintain RPC Troubleshooting State Information* +- GP name: *RpcStateInformation* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 7f655514ef..56b8fa10a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -107,7 +107,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. @@ -176,7 +176,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the system waits for scripts applied by Group Policy to run. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. @@ -251,7 +251,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. @@ -343,7 +343,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. @@ -416,7 +416,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logoff scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. @@ -487,7 +487,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -558,7 +558,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -629,7 +629,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logon scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. @@ -700,7 +700,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in shutdown scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. @@ -771,7 +771,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets the system run startup scripts simultaneously. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. @@ -845,7 +845,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in startup scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. @@ -920,7 +920,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. @@ -972,14 +972,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index ce4096ecc5..dca614dec2 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. @@ -220,7 +220,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. @@ -247,14 +247,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index 3f963a77cb..7590b70934 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. @@ -113,14 +113,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 00ff56dafe..66a0fdf6d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -389,13 +389,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index c18852e5ea..af834f2656 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md new file mode 100644 index 0000000000..53ca6431fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -0,0 +1,706 @@ +--- +title: Policy CSP - ADMX_SettingSync +description: Policy CSP - ADMX_SettingSync +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SettingSync +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_SettingSync policies + +
    +
    + ADMX_SettingSync/DisableAppSyncSettingSync +
    +
    + ADMX_SettingSync/DisableApplicationSettingSync +
    +
    + ADMX_SettingSync/DisableCredentialsSettingSync +
    +
    + ADMX_SettingSync/DisableDesktopThemeSettingSync +
    +
    + ADMX_SettingSync/DisablePersonalizationSettingSync +
    +
    + ADMX_SettingSync/DisableSettingSync +
    +
    + ADMX_SettingSync/DisableStartLayoutSettingSync +
    +
    + ADMX_SettingSync/DisableSyncOnPaidNetwork +
    +
    + ADMX_SettingSync/DisableWindowsSettingSync +
    +
    + + +
    + + +**ADMX_SettingSync/DisableAppSyncSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "AppSync" group will not be synced. + +Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync Apps* +- GP name: *DisableAppSyncSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableApplicationSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "app settings" group will not be synced. + +Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync app settings* +- GP name: *DisableApplicationSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableCredentialsSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "passwords" group will not be synced. + +Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync passwords* +- GP name: *DisableCredentialsSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableDesktopThemeSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "desktop personalization" group will not be synced. + +Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync desktop personalization* +- GP name: *DisableDesktopThemeSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisablePersonalizationSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "personalize" group will not be synced. + +Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync personalize* +- GP name: *DisablePersonalizationSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. + +If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. + +Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync* +- GP name: *DisableSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableStartLayoutSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "Start layout" group will not be synced. + +Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync start settings* +- GP name: *DisableStartLayoutSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableSyncOnPaidNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. + +If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. + +If you do not set or disable this setting, syncing on metered connections is configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync on metered connections* +- GP name: *DisableSyncOnPaidNetwork* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableWindowsSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "Other Windows settings" group will not be synced. + +Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync other Windows settings* +- GP name: *DisableWindowsSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 7b7f7b195c..a9749a346b 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -76,7 +76,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. @@ -179,14 +179,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index a293d2b013..42e13cdd7d 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -73,7 +73,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. @@ -100,14 +100,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e8df85ad6d..58d1a90759 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. @@ -155,7 +155,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Disables the Windows registry editor Regedit.exe. +Available in the latest Windows 10 Insider Preview Build. Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. @@ -227,7 +227,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows from running the programs you specify in this policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows from running the programs you specify in this policy setting. If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. @@ -302,7 +302,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Limits the Windows programs that users have permission to run on the computer. +Available in the latest Windows 10 Insider Preview Build. Limits the Windows programs that users have permission to run on the computer. If you enable this policy setting, users can only run programs that you add to the list of allowed applications. @@ -335,14 +335,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md new file mode 100644 index 0000000000..e42d009528 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-skydrive.md @@ -0,0 +1,117 @@ +--- +title: Policy CSP - ADMX_SkyDrive +description: Policy CSP - ADMX_SkyDrive +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SkyDrive +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_SkyDrive policies + +
    +
    + ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn +
    +
    + + +
    + + +**ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates, etc.) until the user signs in to OneDrive or starts syncing files to the local computer. + +If you enable this setting, users must sign in to the OneDrive sync client on the local computer, or select to sync OneDrive or SharePoint files on the computer, for the sync client to start automatically. + +If this setting is not enabled, the OneDrive sync client will start automatically when users sign in to Windows. + +If you enable or disable this setting, do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will remain in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent OneDrive from generating network traffic until the user signs in to OneDrive* +- GP name: *PreventNetworkTrafficPreUserSignIn* +- GP path: *Windows Components\OneDrive* +- GP ADMX file name: *SkyDrive.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 76452c2119..b75b3b086d 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -119,7 +119,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. @@ -194,7 +194,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. @@ -265,7 +265,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. @@ -334,7 +334,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. @@ -405,7 +405,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. @@ -474,7 +474,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. > [!TIP] @@ -539,7 +539,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. @@ -611,7 +611,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents plaintext PINs from being returned by Credential Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Credential Manager does not return a plaintext PIN. @@ -683,7 +683,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. @@ -755,7 +755,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you configure if all your valid logon certificates are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). @@ -831,7 +831,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the reading of all certificates from the smart card for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. @@ -902,7 +902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the displayed message when a smart card is blocked. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the displayed message when a smart card is blocked. If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. @@ -974,7 +974,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. @@ -1045,7 +1045,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether Smart Card Plug and Play is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. @@ -1117,7 +1117,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. @@ -1189,7 +1189,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. @@ -1216,14 +1216,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 2a83f8346c..8b1a15bdca 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. @@ -161,7 +161,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -241,7 +241,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -277,14 +277,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 09955c429e..2c16014c48 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -4998,13 +4998,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md new file mode 100644 index 0000000000..70b84425c0 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - ADMX_SystemRestore +description: Policy CSP - ADMX_SystemRestore +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SystemRestore +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_SystemRestore policies + +
    +
    + ADMX_SystemRestore/SR_DisableConfig +
    +
    + + +
    + + +**ADMX_SystemRestore/SR_DisableConfig** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Allows you to disable System Restore configuration through System Protection. + +This policy setting allows you to turn off System Restore configuration through System Protection. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting. + +If you enable this policy setting, the option to configure System Restore through System Protection is disabled. + +If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. + +Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Configuration* +- GP name: *SR_DisableConfig* +- GP path: *System\System Restore* +- GP ADMX file name: *SystemRestore.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index d7177153a7..bff61dc5f1 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1650,14 +1650,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index b43d4d2011..3cd6999994 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -110,7 +110,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify a relay name for a 6to4 host. @@ -179,7 +179,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. @@ -248,7 +248,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. If you disable or do not configure this policy setting, the local host setting is used. @@ -323,7 +323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. If you disable or do not configure this policy setting, the local host settings are used. @@ -398,7 +398,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. @@ -467,7 +467,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. @@ -536,7 +536,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. If you disable or do not configure this policy setting, the local host setting is used. @@ -611,7 +611,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. If you enable this policy setting, you can customize a UDP port for the Teredo client. @@ -680,7 +680,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. If you disable or do not configure this policy setting, the local host setting is used. @@ -751,7 +751,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the Teredo refresh rate. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the Teredo refresh rate. > [!NOTE] > On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. @@ -823,7 +823,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. @@ -892,7 +892,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. If you disable or do not configure this policy setting, the local host settings are used. @@ -969,7 +969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. If you do not configure this policy setting, the local host settings are used. @@ -998,14 +998,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 69fd52c66e..73f6ca56cd 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -79,7 +79,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. @@ -150,7 +150,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. @@ -221,7 +221,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Turns off the caching of thumbnails in hidden thumbs.db files. +Available in the latest Windows 10 Insider Preview Build. Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. @@ -251,14 +251,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index aeec40aa7f..d12a0686f7 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -101,7 +101,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. @@ -170,7 +170,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. > [!TIP] @@ -235,7 +235,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. @@ -306,7 +306,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. @@ -377,7 +377,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. @@ -455,7 +455,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. +Available in the latest Windows 10 Insider Preview Build. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. > [!TIP] @@ -520,7 +520,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -601,7 +601,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -684,7 +684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -767,7 +767,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. > [!TIP] @@ -790,14 +790,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index d967a2db8e..7f23f18d6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -450,7 +450,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Calculator. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Calculator. By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. @@ -524,7 +524,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. @@ -603,7 +603,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. @@ -677,7 +677,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. @@ -748,7 +748,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. @@ -819,7 +819,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. @@ -896,7 +896,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. @@ -967,7 +967,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. @@ -1035,7 +1035,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. If you enable this policy setting, Finance user settings continue to sync. @@ -1106,7 +1106,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. @@ -1178,7 +1178,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. If you enable this policy setting, Games user settings continue to sync. @@ -1250,7 +1250,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 8. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 8. By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. @@ -1324,7 +1324,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. @@ -1396,7 +1396,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. @@ -1468,7 +1468,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. @@ -1540,7 +1540,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. @@ -1612,7 +1612,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. If you enable this policy setting, Maps user settings continue to sync. @@ -1684,7 +1684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. @@ -1754,7 +1754,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. @@ -1826,7 +1826,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. @@ -1898,7 +1898,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. @@ -1969,7 +1969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. @@ -2041,7 +2041,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. @@ -2113,7 +2113,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. @@ -2184,7 +2184,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. @@ -2256,7 +2256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. @@ -2328,7 +2328,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. @@ -2399,7 +2399,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. @@ -2471,7 +2471,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. @@ -2543,7 +2543,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. @@ -2615,7 +2615,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. @@ -2687,7 +2687,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. @@ -2759,7 +2759,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. @@ -2830,7 +2830,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. @@ -2902,7 +2902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. @@ -2974,7 +2974,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. @@ -3047,7 +3047,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. @@ -3120,7 +3120,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. @@ -3191,7 +3191,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. @@ -3263,7 +3263,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. @@ -3335,7 +3335,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. @@ -3406,7 +3406,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. @@ -3478,7 +3478,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. @@ -3550,7 +3550,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. @@ -3622,7 +3622,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. @@ -3694,7 +3694,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. @@ -3765,7 +3765,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. @@ -3837,7 +3837,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. @@ -3909,7 +3909,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. @@ -3981,7 +3981,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. @@ -4052,7 +4052,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. @@ -4124,7 +4124,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. @@ -4196,7 +4196,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. @@ -4268,7 +4268,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. @@ -4339,7 +4339,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. @@ -4410,7 +4410,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. @@ -4482,7 +4482,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. @@ -4554,7 +4554,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. @@ -4626,7 +4626,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. @@ -4698,7 +4698,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. @@ -4770,7 +4770,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. @@ -4842,7 +4842,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. @@ -4914,7 +4914,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. @@ -4986,7 +4986,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. @@ -5059,7 +5059,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. @@ -5131,7 +5131,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. @@ -5203,7 +5203,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. @@ -5275,7 +5275,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. @@ -5347,7 +5347,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. @@ -5419,7 +5419,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. @@ -5491,7 +5491,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. @@ -5563,7 +5563,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. @@ -5635,7 +5635,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. @@ -5707,7 +5707,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. @@ -5779,7 +5779,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. @@ -5851,7 +5851,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2016. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. @@ -5924,7 +5924,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. @@ -5995,7 +5995,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. @@ -6067,7 +6067,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. @@ -6138,7 +6138,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. @@ -6210,7 +6210,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. @@ -6282,7 +6282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. @@ -6354,7 +6354,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. @@ -6426,7 +6426,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. @@ -6498,7 +6498,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. @@ -6570,7 +6570,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. @@ -6642,7 +6642,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. @@ -6713,7 +6713,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. @@ -6785,7 +6785,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. @@ -6857,7 +6857,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. @@ -6929,7 +6929,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. @@ -7000,7 +7000,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. @@ -7072,7 +7072,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. @@ -7144,7 +7144,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. @@ -7216,7 +7216,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. @@ -7288,7 +7288,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. @@ -7360,7 +7360,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. @@ -7432,7 +7432,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. @@ -7504,7 +7504,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. @@ -7576,7 +7576,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. @@ -7647,7 +7647,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. @@ -7719,7 +7719,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. @@ -7791,7 +7791,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. @@ -7863,7 +7863,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. @@ -7935,7 +7935,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. @@ -8007,7 +8007,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. @@ -8079,7 +8079,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. @@ -8151,7 +8151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. @@ -8223,7 +8223,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. If you enable this policy setting, Music user settings continue to sync. @@ -8294,7 +8294,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. If you enable this policy setting, News user settings continue to sync. @@ -8366,7 +8366,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. If you enable this policy setting, the Notepad user settings continue to synchronize. @@ -8438,7 +8438,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. If you enable this policy setting, Reader user settings continue to sync. @@ -8511,7 +8511,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. @@ -8581,7 +8581,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures where the settings package files that contain user settings are stored. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy setting, the user settings are stored in the specified location. @@ -8651,7 +8651,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. @@ -8727,7 +8727,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. If you enable this policy setting, Sports user settings continue to sync. @@ -8799,7 +8799,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. > [!TIP] @@ -8864,7 +8864,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. @@ -8936,7 +8936,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. @@ -9008,7 +9008,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. @@ -9079,7 +9079,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. @@ -9151,7 +9151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. If you enable this policy setting, Travel user settings continue to sync. @@ -9222,7 +9222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. @@ -9292,7 +9292,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. If you enable this policy setting, Video user settings continue to sync. @@ -9364,7 +9364,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. If you enable this policy setting, Weather user settings continue to sync. @@ -9435,7 +9435,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. If you enable this policy setting, the WordPad user settings continue to synchronize. @@ -9463,14 +9463,15 @@ ADMX Info:
    Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md new file mode 100644 index 0000000000..dcc45e4c5e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -0,0 +1,655 @@ +--- +title: Policy CSP - ADMX_UserProfiles +description: Policy CSP - ADMX_UserProfiles +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_UserProfiles +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_UserProfiles policies + +
    +
    + ADMX_UserProfiles/CleanupProfiles +
    +
    + ADMX_UserProfiles/DontForceUnloadHive +
    +
    + ADMX_UserProfiles/LeaveAppMgmtData +
    +
    + ADMX_UserProfiles/LimitSize +
    +
    + ADMX_UserProfiles/ProfileErrorAction +
    +
    + ADMX_UserProfiles/SlowLinkTimeOut +
    +
    + ADMX_UserProfiles/USER_HOME +
    +
    + ADMX_UserProfiles/UserInfoAccessAction +
    +
    + + +
    + + +**ADMX_UserProfiles/CleanupProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. + +If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. + +If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Delete user profiles older than a specified number of days on system restart* +- GP name: *CleanupProfiles* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/DontForceUnloadHive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. + +Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. + +If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. + +If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not forcefully unload the users registry at user logoff* +- GP name: *DontForceUnloadHive* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/LeaveAppMgmtData** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. + +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. + +If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. + +If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. + +> [!NOTE] +> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Leave Windows Installer and Group Policy Software Installation Data* +- GP name: *LeaveAppMgmtData* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/LimitSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. + +If you enable this policy setting, you can: + +- Set a maximum permitted user profile size. +- Determine whether the registry files are included in the calculation of the profile size. +- Determine whether users are notified when the profile exceeds the permitted maximum size. +- Specify a customized message notifying users of the oversized profile. +- Determine how often the customized message is displayed. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit profile size* +- GP name: *LimitSize* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/ProfileErrorAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. + +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. + +If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. + +If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. + +Also, see the "Delete cached copies of roaming profiles" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not log users on with temporary profiles* +- GP name: *ProfileErrorAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/SlowLinkTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. + +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. + +This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. + +If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. + +If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control slow network connection timeout for user profiles* +- GP name: *SlowLinkTimeOut* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/USER_HOME** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. + +If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. + +To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. + +Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. + +> [!NOTE] +> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. + +If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. + +If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set user home folder* +- GP name: *USER_HOME* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/UserInfoAccessAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. + +If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: + +- "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. + +- "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. + +If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)* +- GP name: *UserInfoAccessAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index a9b6715a43..37697fb185 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. @@ -228,7 +228,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a set of parameters for controlling the Windows NTP Client. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. @@ -318,7 +318,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the Windows NTP Client is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. @@ -389,7 +389,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether the Windows NTP Server is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. @@ -416,14 +416,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 0590f12265..0c5ea22e12 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -259,14 +259,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index bceaf394ed..399309047c 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -150,7 +150,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -179,14 +179,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md index 8b06f92864..efff151d08 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md @@ -75,7 +75,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. By default, Add features to Windows 10 is available for all administrators. +Available in the latest Windows 10 Insider Preview Build. By default, Add features to Windows 10 is available for all administrators. If you enable this policy setting, the wizard will not run. @@ -102,14 +102,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 80b7d947fa..086405efd2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. @@ -218,7 +218,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. @@ -251,14 +251,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index c293e80086..004f66dae4 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -5355,13 +5355,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index d9845c8533..66570c3061 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 69a27c1fef..f0273482cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -134,7 +134,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -215,7 +215,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -295,7 +295,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -373,7 +373,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn off do not show first use dialog boxes. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off do not show first use dialog boxes. If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. @@ -444,7 +444,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Network tab. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. @@ -513,7 +513,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -584,7 +584,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -655,7 +655,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent video smoothing from occurring. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent video smoothing from occurring. If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. @@ -728,7 +728,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows a screen saver to interrupt playback. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows a screen saver to interrupt playback. If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. @@ -799,7 +799,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Privacy tab in Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. @@ -870,7 +870,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Security tab in Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. @@ -939,7 +939,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. @@ -1013,7 +1013,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent Windows Media Player from downloading codecs. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. @@ -1084,7 +1084,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. @@ -1153,7 +1153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media sharing from Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media sharing from Windows Media Player. If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. @@ -1222,7 +1222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. @@ -1291,7 +1291,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. @@ -1359,7 +1359,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. @@ -1428,7 +1428,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. @@ -1497,7 +1497,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. @@ -1570,7 +1570,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. @@ -1601,14 +1601,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md new file mode 100644 index 0000000000..dc7bcf1f15 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_WindowsRemoteManagement +description: Policy CSP - ADMX_WindowsRemoteManagement +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/16/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsRemoteManagement +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_WindowsRemoteManagement policies + +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_1 +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_2 +
    +
    + + +
    + + +**ADMX_WindowsRemoteManagement/DisallowKerberos_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. + +If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow Kerberos authentication* +- GP name: *DisallowKerberos_1* +- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Service* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +
    + + +**ADMX_WindowsRemoteManagement/DisallowKerberos_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. + +If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. + +If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow Kerberos authentication* +- GP name: *DisallowKerberos_2* +- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Client* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 7be8a731e7..cec2e2bd4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -397,13 +397,13 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index dbbecca9d5..93d25c2f1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. If you enable this policy setting, the system does not create the named pipe remote shutdown interface. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the use of fast startup. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. @@ -218,7 +218,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. @@ -245,14 +245,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md new file mode 100644 index 0000000000..f1998bb579 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -0,0 +1,494 @@ +--- +title: Policy CSP - ADMX_WinLogon +description: Policy CSP - ADMX_WinLogon +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WinLogon +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_WinLogon policies + +
    +
    + ADMX_WinLogon/CustomShell +
    +
    + ADMX_WinLogon/DisplayLastLogonInfoDescription +
    +
    + ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
    +
    + ADMX_WinLogon/LogonHoursPolicyDescription +
    +
    + ADMX_WinLogon/ReportCachedLogonPolicyDescription +
    +
    + ADMX_WinLogon/SoftwareSASGeneration +
    +
    + + +
    + + +**ADMX_WinLogon/CustomShell** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. + +If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. + +If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. + +> [!TIP] +> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom User Interface* +- GP name: *CustomShell* +- GP path: *System* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/DisplayLastLogonInfoDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. + +For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. + +For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. + +If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display information about previous logons during user logon* +- GP name: *DisplayLastLogonInfoDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + + +**ADMX_WinLogon/LogonHoursNotificationPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. + +If you enable this setting, warnings are not displayed to the user before the logon hours expire. + +If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove logon hours expiration warnings* +- GP name: *LogonHoursNotificationPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/LogonHoursPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. + +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. + +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s logon hours expire. + +If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set action to take when logon hours expire* +- GP name: *LogonHoursPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/ReportCachedLogonPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. + +If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. + +If disabled or not configured, no popup will be displayed to the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report when logon server was not available during user logon* +- GP name: *ReportCachedLogonPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/SoftwareSASGeneration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). + +If you enable this policy setting, you have one of four options: + +- If you set this policy setting to "None," user mode software cannot simulate the SAS. +- If you set this policy setting to "Services," services can simulate the SAS. +- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. +- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. + +If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable or enable software Secure Attention Sequence* +- GP name: *SoftwareSASGeneration* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 0ca862b038..c66f4a6598 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -247,14 +247,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md new file mode 100644 index 0000000000..7e7e4ee561 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -0,0 +1,490 @@ +--- +title: Policy CSP - ADMX_WPN +description: Policy CSP - ADMX_WPN +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WPN +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_WPN policies + +
    +
    + ADMX_WPN/NoCallsDuringQuietHours +
    +
    + ADMX_WPN/NoLockScreenToastNotification +
    +
    + ADMX_WPN/NoQuietHours +
    +
    + ADMX_WPN/NoToastNotification +
    +
    + ADMX_WPN/QuietHoursDailyBeginMinute +
    +
    + ADMX_WPN/QuietHoursDailyEndMinute +
    +
    + + +
    + + +**ADMX_WPN/NoCallsDuringQuietHours** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours. + +If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. + +If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. + +If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off calls during Quiet Hours* +- GP name: *NoCallsDuringQuietHours* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/NoLockScreenToastNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen. + +If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. + +If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off toast notifications on the lock screen* +- GP name: *NoLockScreenToastNotification* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/NoQuietHours** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality. + +If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. + +If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. + +If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Quiet Hours* +- GP name: *NoQuietHours* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/NoToastNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications. + +If you enable this policy setting, applications will not be able to raise toast notifications. + +Note that this policy does not affect taskbar notification balloons. + +Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. + +If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off toast notifications* +- GP name: *NoToastNotification* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/QuietHoursDailyBeginMinute** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. + +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. + +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. + +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the time Quiet Hours begins each day* +- GP name: *QuietHoursDailyBeginMinute* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/QuietHoursDailyEndMinute** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. + +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. + +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. + +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the time Quiet Hours ends each day* +- GP name: *QuietHoursDailyEndMinute* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index dcea40a888..6387efccc5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2317,6 +2317,15 @@ Added in Windows 10, version 1607. Specifies the level of detection for potenti > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +ADMX Info: +- GP English name: *Configure detection for potentially unwanted applications* +- GP name: *Root_PUAProtection* +- GP element: *Root_PUAProtection* +- GP path: *Windows Components/Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + The following list shows the supported values: @@ -3112,6 +3121,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 4061074c76..1031aada9c 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -371,7 +371,7 @@ ADMX Info: -This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. @@ -754,8 +754,7 @@ The following list shows the supported values: - 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 – HTTP blended with Internet peering. - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - +- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release. @@ -882,7 +881,7 @@ The options set in this policy only apply to Group (2) download mode. If Group ( For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. -Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 24c7b04cbf..ba86d69fad 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -22,28 +22,28 @@ ms.localizationpriority: medium
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    - DeviceInstallation/PreventDeviceMetadataFromNetwork + DeviceInstallation/PreventDeviceMetadataFromNetwork
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    @@ -51,7 +51,7 @@ ms.localizationpriority: medium
    -**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs** +## DeviceInstallation/AllowInstallationOfMatchingDeviceIDs @@ -165,7 +165,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
    -**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs** +## DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    @@ -272,7 +272,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
    -**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses** +## DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    @@ -395,7 +395,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
    -**DeviceInstallation/PreventDeviceMetadataFromNetwork** +## DeviceInstallation/PreventDeviceMetadataFromNetwork
    @@ -474,7 +474,7 @@ ADMX Info:
    -**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings** +## DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    @@ -586,7 +586,7 @@ You can also block installation by using a custom profile in Intune.
    -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** +## DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    @@ -703,7 +703,7 @@ For example, this custom profile blocks installation and usage of USB devices wi
    -**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs** +## DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
    @@ -830,7 +830,7 @@ with
    -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** +## DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index f68a71f820..b106637736 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -677,7 +677,7 @@ The following list shows the supported values: -Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. +Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. * On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. * On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 7809027bc7..8550d25403 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1227,76 +1227,6 @@ The following list shows the supported values:
    - -**Experience/DisableCloudOptimizedContent** - - -
    - - - - - - - - - - - - - - - - - - - - - - - - -
    Windows EditionSupported?
    Homecheck mark9
    Procheck mark9
    Businesscheck mark9
    Enterprisecheck mark9
    Educationcheck mark9
    - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lets you turn off cloud optimized content in all Windows experiences. - -If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content. - -If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content. - - - -ADMX Info: -- GP English name: *Turn off cloud optimized content* -- GP name: *DisableCloudOptimizedContent* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - -
    - **Experience/DoNotShowFeedbackNotifications** @@ -1428,7 +1358,7 @@ ADMX Info: Supported values: -- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes. - 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 38ef9aa0b9..c320a8134e 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -82,7 +82,7 @@ Available in Windows 10, version 20H2. This policy setting allows IT admins to a > > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. -Here's an example of the policy definition XML for group configuration: +Here is an example of the policy definition XML for group configuration: ```xml @@ -104,7 +104,9 @@ where: - ``: Specifies the SID or name of the member to remove from the specified group. > [!NOTE] - > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + > When specifying member names of the user accounts, you must use following format – AzureAD/userUPN. For example, "AzureAD/user1@contoso.com" or "AzureAD/user2@contoso.co.uk". +For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. +for more information, see [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. @@ -121,35 +123,51 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof **Examples** -Example 1: Update action for adding and removing group members. +Example 1: AAD focused. -The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). +The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**. + +```xml + + + + + + + +``` + +Example 2: Replace / Restrict the built-in administrators group with an AAD user account. + +> [!NOTE] +> When using ‘R’ replace option to configure the built-in ‘Administrators’ group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. + +Example: +```xml + + + + + + + +``` +Example 3: Update action for adding and removing group members on a hybrid joined machine. + +The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml - + - ``` -Example 2: Restrict action for replacing the group membership. -The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**). - -```xml - - - - - - - -``` @@ -157,6 +175,17 @@ The following example shows how you can restrict a local group (**Backup Operato
    +> [!NOTE] +> +> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: +> +> - Administrators +> - Users +> - Guests +> - Power Users +> - Remote Desktop Users +> - Remote Management Users + ## FAQs This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. @@ -223,10 +252,69 @@ To troubleshoot Name/SID lookup APIs: ```cmd Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force ``` - +```xml + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + +``` Footnotes: -- 9 - Available in Windows 10, version 20H2. +Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 019a3f61c5..fd1e3372e8 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -96,7 +96,7 @@ This policy only applies to the Alt+Tab switcher. When the policy is not enabled ADMX Info: - GP English name: *Configure the inclusion of Edge tabs into Alt-Tab* -- GP name: *MultiTaskingAltTabFilter* +- GP name: *BrowserAltTabBlowout* - GP path: *Windows Components/Multitasking* - GP ADMX file name: *Multitasking.admx* diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 5fe588c782..b3290f82dc 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 02/12/2021 ms.reviewer: manager: dansimp --- @@ -25,9 +25,6 @@ manager: dansimp
    Search/AllowCloudSearch
    -
    - Search/AllowCortanaInAAD -
    Search/AllowFindMyFiles
    @@ -137,7 +134,6 @@ The following list shows the supported values:
    -**Search/AllowCortanaInAAD** @@ -178,30 +174,6 @@ The following list shows the supported values:
    - - -Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow.. - - - -ADMX Info: -- GP English name: *Allow Cortana Page in OOBE on an AAD account* -- GP name: *AllowCortanaInAAD* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup. -- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. - - - - -
    - **Search/AllowFindMyFiles** diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 762c801e6c..8f43acb2ab 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -78,6 +78,9 @@ If you enable this policy setting, built-in system services hosted in svchost.ex This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. +> [!IMPORTANT] +> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software). + If you disable or do not configure this policy setting, the stricter security settings will not be applied. @@ -122,4 +125,3 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index df70a21a7c..1a7026a930 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1113,8 +1113,8 @@ ADMX Info: Supported values: -- 0 - Disable (Default) -- 1 - Enable +- 0 - Disable +- 1 - Enable (Default) @@ -1733,18 +1733,19 @@ OS upgrade: Update: - Maximum deferral: 1 month - Deferral increment: 1 week -- Update type/notes: - If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 +- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: + + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 Other/cannot defer: + - Maximum deferral: No deferral - Deferral increment: No deferral - Update type/notes: @@ -4332,7 +4333,7 @@ The following list shows the supported values: -Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/). +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information/). ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index df12efd32b..b1a0a67245 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -84,6 +84,18 @@ For example, the following syntax grants user rights to Authenticated Users and ``` +For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2: + +```xml + +``` + +For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group: + +```xml + +``` +
    diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 330dddba01..c03b4d3430 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -20,23 +20,23 @@ The following diagram shows the SurfaceHub CSP management objects in tree format ![surface hub diagram](images/provisioning-csp-surfacehub.png) -**./Vendor/MSFT/SurfaceHub** +**./Vendor/MSFT/SurfaceHub**

    The root node for the Surface Hub configuration service provider. -**DeviceAccount** +**DeviceAccount**

    Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.

    To use a device account from Azure Active Directory -1. Set the UserPrincipalName (for Azure AD). -2. Set a valid Password. -3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. -4. Get the ErrorContext in case something goes wrong during validation. +1. Set the UserPrincipalName (for Azure AD). +2. Set a valid Password. +3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. +4. Get the ErrorContext in case something goes wrong during validation. > [!NOTE] > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. - +

    Here's a SyncML example. ```xml @@ -89,67 +89,72 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    To use a device account from Active Directory -1. Set the DomainName. -2. Set the UserName. -3. Set a valid Password. -4. Execute the ValidateAndCommit node. +1. Set the DomainName. +2. Set the UserName. +3. Set a valid Password. +4. Execute the ValidateAndCommit node. -**DeviceAccount/DomainName** +**DeviceAccount/DomainName**

    Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/UserName** +**DeviceAccount/UserName**

    Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/UserPrincipalName** +**DeviceAccount/UserPrincipalName**

    User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/SipAddress** +**DeviceAccount/SipAddress**

    Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/Password** +**DeviceAccount/Password**

    Password for the device account.

    The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. -**DeviceAccount/ValidateAndCommit** +**DeviceAccount/ValidateAndCommit**

    This method validates the data provided and then commits the changes.

    The data type is string. Supported operation is Execute. -**DeviceAccount/Email** +**DeviceAccount/Email**

    Email address of the device account.

    The data type is string. -**DeviceAccount/PasswordRotationEnabled** +**DeviceAccount/PasswordRotationEnabled**

    Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).

    Valid values: -- 0 - password rotation enabled -- 1 - disabled +- 0 - password rotation enabled +- 1 - disabled

    The data type is integer. Supported operation is Get and Replace. -**DeviceAccount/ExchangeServer** +**DeviceAccount/ExchangeServer**

    Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/CalendarSyncEnabled** +**DeviceAccount/ExchangeModernAuthEnabled** +

    Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. + +

    The data type is boolean. Supported operation is Get and Replace. + +**DeviceAccount/CalendarSyncEnabled**

    Specifies whether calendar sync and other Exchange server services is enabled.

    The data type is boolean. Supported operation is Get and Replace. -**DeviceAccount/ErrorContext** +**DeviceAccount/ErrorContext**

    If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values:

    @@ -206,67 +211,67 @@ The following diagram shows the SurfaceHub CSP management objects in tree format  

    The data type is integer. Supported operation is Get. -**MaintenanceHoursSimple/Hours** +**MaintenanceHoursSimple/Hours**

    Node for maintenance schedule. -**MaintenanceHoursSimple/Hours/StartTime** +**MaintenanceHoursSimple/Hours/StartTime**

    Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.

    The data type is integer. Supported operation is Get and Replace. -**MaintenanceHoursSimple/Hours/Duration** +**MaintenanceHoursSimple/Hours/Duration**

    Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.

    The data type is integer. Supported operation is Get and Replace. -**InBoxApps** +**InBoxApps**

    Node for the in-box app settings. -**InBoxApps/SkypeForBusiness** +**InBoxApps/SkypeForBusiness**

    Added in Windows 10, version 1703. Node for the Skype for Business settings. -**InBoxApps/SkypeForBusiness/DomainName** +**InBoxApps/SkypeForBusiness/DomainName**

    Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online.

    The data type is string. Supported operation is Get and Replace. -**InBoxApps/Welcome** +**InBoxApps/Welcome**

    Node for the welcome screen. -**InBoxApps/Welcome/AutoWakeScreen** +**InBoxApps/Welcome/AutoWakeScreen**

    Automatically turn on the screen using motion sensors.

    The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/Welcome/CurrentBackgroundPath** -

    Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +**InBoxApps/Welcome/CurrentBackgroundPath** +

    Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

    The data type is string. Supported operation is Get and Replace. -**InBoxApps/Welcome/MeetingInfoOption** +**InBoxApps/Welcome/MeetingInfoOption**

    Meeting information displayed on the welcome screen.

    Valid values: -- 0 - Organizer and time only -- 1 - Organizer, time, and subject. Subject is hidden in private meetings. +- 0 - Organizer and time only +- 1 - Organizer, time, and subject. Subject is hidden in private meetings.

    The data type is integer. Supported operation is Get and Replace. -**InBoxApps/WirelessProjection** +**InBoxApps/WirelessProjection**

    Node for the wireless projector app settings. -**InBoxApps/WirelessProjection/PINRequired** +**InBoxApps/WirelessProjection/PINRequired**

    Users must enter a PIN to wirelessly project to the device.

    The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/WirelessProjection/Enabled** +**InBoxApps/WirelessProjection/Enabled**

    Enables wireless projection to the device.

    The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/WirelessProjection/Channel** +**InBoxApps/WirelessProjection/Channel**

    Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.

    @@ -290,36 +295,36 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
    - +

    The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).

    The data type is integer. Supported operation is Get and Replace. -**InBoxApps/Connect** +**InBoxApps/Connect**

    Added in Windows 10, version 1703. Node for the Connect app. -**InBoxApps/Connect/AutoLaunch** +**InBoxApps/Connect/AutoLaunch**

    Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.

    If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.

    The data type is boolean. Supported operation is Get and Replace. -**Properties** +**Properties**

    Node for the device properties. -**Properties/FriendlyName** +**Properties/FriendlyName**

    Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.

    The data type is string. Supported operation is Get and Replace. -**Properties/DefaultVolume** +**Properties/DefaultVolume**

    Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.

    The data type is integer. Supported operation is Get and Replace. -**Properties/ScreenTimeout** -

    Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. +**Properties/ScreenTimeout** +

    Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.

    The following table shows the permitted values. @@ -333,7 +338,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

0Never timeout
Never time out
1 1 minute
0Never timeout
Never time out
1 1 minute (default)
0Never timeout
Never time out
1 1 minute

Type

BuiltIn Local

Builtin Local

Default container

Type

BuiltIn Local

Builtin Local

Default container

Type

BuiltIn Local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

Well-Known SID/RID

S-1-5-<domain>-517

S-1-5-21-<domain>-517

Type

Type

Builtin local

Builtin Local

Default container

Type

BuiltIn Local

Builtin Local

Default container

Type

Domain local

Builtin Local

Default container

Type

Domain Global

Global

Default container

Well-Known SID/RID

S-1-5-<domain>-515

S-1-5-21-<domain>-515

Type

Well-Known SID/RID

S-1-5-<domain>-516

S-1-5-21-<domain>-516

Type

Well-Known SID/RID

S-1-5-<domain>-514

S-1-5-21-<domain>-514

Type

Well-Known SID/RID

S-1-5-<domain>-513

S-1-5-21-<domain>-513

Type

Domain Global

Global

Default container

Type

Builtin local

Domain Local

Default container

Well-Known SID/RID

S-1-5-<domain>-520

S-1-5-21-<domain>-520

Type

Default members

Guest

Domain Guests

Guest

Default member of

Domain Guests

-

Guest

None

Protected by ADMINSDHOLDER?

Type

Builtin local

Builtin Local

Default container

Default member of

No

None

Protected by ADMINSDHOLDER?

Type

BuiltIn Local

Builtin Local

Default container

Type

BuiltIn local

Builtin Local

Default container

Type

BuiltIn local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

Type

Domain Global

Global

Default container

Type

Domain local

Builtin Local

Default container

Well-Known SID/RID

S-1-5-32-<domain>-576

S-1-5-32-576

Type

Builtin local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

Type

Builtin local

Builtin Local

Default container

++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeValue

Well-Known SID/RID

S-1-5-21-<domain>-521

Type

Global

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Denied RODC Password Replication Group

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

Default User Rights

See Denied RODC Password Replication Group

+ + ### Remote Desktop Users The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). @@ -3094,78 +3165,6 @@ This security group has not changed since Windows Server 2008. - - -### Read-Only Domain Controllers - -This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. - -Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: - -- Read-only AD DS database - -- Unidirectional replication - -- Credential caching - -- Administrator role separation - -- Read-only Domain Name System (DNS) - -For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx). - -This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
AttributeValue

Well-Known SID/RID

S-1-5-21-<domain>-521

Type

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Denied RODC Password Replication Group

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

Default User Rights

See Denied RODC Password Replication Group

@@ -3197,7 +3196,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3264,7 +3263,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3327,7 +3326,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<root domain>-518

+

S-1-5-21-<root domain>-518

Type

@@ -3368,9 +3367,9 @@ This security group has not changed since Windows Server 2008. ### Server Operators -Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. +Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. -By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. +By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). @@ -3394,7 +3393,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3442,7 +3441,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv | Attribute | Value | |-----------|-------| | Well-Known SID/RID | S-1-5-32-582 | -| Type | BuiltIn Local | +| Type | Builtin Local | | Default container | CN=BuiltIn, DC=<domain>, DC= | | Default members | None | | Default member of | None | @@ -3463,7 +3462,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper | Attribute | Value | |-----------|-------| | Well-Known SID/RID | S-1-5-32-581 | -| Type | BuiltIn Local | +| Type | Builtin Local | | Default container | CN=BuiltIn, DC=<domain>, DC= | | Default members | Users | | Default member of | None | @@ -3507,7 +3506,7 @@ This security group only applies to Windows Server 2003 and Windows Server 200

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3574,7 +3573,7 @@ This security group includes the following changes since Windows Server 2008:

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3588,7 +3587,7 @@ This security group includes the following changes since Windows Server 2008:

Default member of

-

Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)

+

None

Protected by ADMINSDHOLDER?

@@ -3641,7 +3640,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md index 3ad985610a..ea1bce53c3 100644 --- a/windows/security/identity-protection/access-control/dynamic-access-control.md +++ b/windows/security/identity-protection/access-control/dynamic-access-control.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 56e4f2edf2..e988e6da9f 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md index d1f2624bf6..7abb98e730 100644 --- a/windows/security/identity-protection/access-control/microsoft-accounts.md +++ b/windows/security/identity-protection/access-control/microsoft-accounts.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index c8bdc813a2..b21bd85fd4 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md index 111f5d902d..26564af45a 100644 --- a/windows/security/identity-protection/access-control/security-principals.md +++ b/windows/security/identity-protection/access-control/security-principals.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md index 7a95b60584..3e5a325d0a 100644 --- a/windows/security/identity-protection/access-control/service-accounts.md +++ b/windows/security/identity-protection/access-control/service-accounts.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index b14254b22a..0dc6406a6d 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md index 954dd6020d..d76e6bc56d 100644 --- a/windows/security/identity-protection/change-history-for-access-protection.md +++ b/windows/security/identity-protection/change-history-for-access-protection.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 0dd5d09a40..cab91d6db4 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 5a88c7b645..885c697548 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 6d52746433..90a4a08397 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 4eaf65890c..8d0219c5dd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 52e6cf8f15..0780c5d0c4 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 742dd80951..27f4be1157 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -7,15 +7,15 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: v-tea manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.reviewer: ms.custom: -- CI 120967 -- CSSTroubleshooting + - CI 120967 + - CSSTroubleshooting --- # Manage Windows Defender Credential Guard @@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard 2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**. +3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. Here's an example: diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 0083c4e274..dcda95a96c 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md index 792587963f..845101f5a0 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 2e56e0803c..3fae5bee58 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management @@ -20,7 +20,7 @@ ms.reviewer: ## Applies to -- Windows 10 +- Windows 10 Enterprise - Windows Server 2016 For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). @@ -135,7 +135,7 @@ The following table lists qualifications for Windows 10, version 1703, which are |Protections for Improved Security|Description|Security Benefits |---|---|---| -|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
- VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections must be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
(**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.| +|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
- VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections must be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable.
(**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.| |Firmware: **Firmware support for SMM protection**|**Requirements**:
- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM.| > [!IMPORTANT] @@ -148,7 +148,7 @@ The following table lists qualifications for Windows 10, version 1703, which are > > Please also note the following: > -> - Do not use sections that are both writeable and executable +> - Do not use sections that are both writable and executable > > - Do not attempt to directly modify executable system memory > diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 7f2c136802..a2583e1181 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index e609c9469d..b1dbf1f33c 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -17,6 +17,9 @@ ms.reviewer: # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool +**Applies to:** +- Windows 10 Enterprise Edition + ```powershell # Script to find out if a machine is Device Guard compliant. # The script requires a driver verifier present on the system. @@ -732,11 +735,11 @@ function IsDomainController function CheckOSSKU { - $osname = $((gwmi win32_operatingsystem).Name).ToLower() + $osname = $((Get-ComputerInfo).WindowsProductName).ToLower() $_SKUSupported = 0 Log "OSNAME:$osname" $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") - $HLKAllowed = @("microsoft windows 10 pro") + $HLKAllowed = @("windows 10 pro") foreach ($SKUent in $SKUarray) { if($osname.ToString().Contains($SKUent.ToLower())) diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png index d9af0e8fc4..46f838c8d2 100644 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png differ diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 215c86beea..e6e5fa20c1 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,5 +1,5 @@ --- -title: Multifactor Unlock +title: Multi-factor Unlock description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor ms.prod: w10 @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 03/20/2018 ms.reviewer: --- -# Multifactor Unlock +# Multi-factor Unlock **Applies to:** - Windows 10 @@ -83,15 +83,17 @@ For example, if you include the PIN and fingerprint credential providers in both The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. ### Rule element -You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0. + **Example** -``` +```xml ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. + |Attribute|Value| |---------|-----| @@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element |rssiMin|"*number*"|no| |rssiMaxDelta|"*number*"|no| -Example: -``` +**Example** +```xml @@ -142,63 +144,76 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements. ##### IPv4Prefix -The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element. + **Example** -``` +```xml 192.168.100.0/24 ``` + The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration. ##### IPv4Gateway -The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element. + **Example** -``` +```xml 192.168.100.10 ``` + ##### IPv4DhcpServer -The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element. + **Example** -``` +```xml 192.168.100.10 ``` + ##### IPv4DnsServer -The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements. + **Example:** -``` +```xml 192.168.100.10 ``` ##### IPv6Prefix -The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. + **Example** -``` +```xml 21DA:D3::/48 ``` ##### IPv6Gateway -The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` ##### IPv6DhcpServer -The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 +The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements. + **Example** -``` +```xml 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` + ##### dnsSuffix -The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements. + **Example** -``` +```xml corp.contoso.com ``` @@ -210,15 +225,17 @@ The fully qualified domain name of your organization's internal DNS suffix where You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements. #### SSID -Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
-``` +Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required. + +```xml corpnetwifi ``` #### BSSID -Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional. + **Example** -``` +```xml 12-ab-34-ff-e5-46 ``` @@ -235,19 +252,22 @@ Contains the type of security the client uses when connecting to the wireless ne |WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.| **Example** -``` +```xml WPA2-Enterprise ``` #### TrustedRootCA -Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional. + **Example** -``` +```xml a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa ``` + #### Sig_quality -Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal. + **Example** -``` +```xml 80 ``` @@ -257,7 +277,8 @@ These examples are wrapped for readability. Once properly formatted, the entire #### Example 1 This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements. -``` + +```xml 10.10.10.0/24 @@ -271,10 +292,11 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, #### Example 2 This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true. + >[!NOTE] >Separate each rule element using a comma. -``` +```xml corp.contoso.com @@ -284,9 +306,11 @@ This example configures an IpConfig signal type using a dnsSuffix element and a ``` + #### Example 3 This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true. -``` + +```xml @@ -296,9 +320,11 @@ This example configures the same as example 2 using compounding And elements. T ``` + #### Example 4 This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) -``` + +```xml contoso @@ -332,22 +358,34 @@ The Group Policy object contains the policy settings needed to trigger Windows H > * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both. > * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Multifactor Unlock* in the name box and click **OK**. -5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- ![Group Policy Editor](images/multifactorUnlock/gpme.png) -8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) -9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section. -10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section. -11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. +1. Start the **Group Policy Management Console** (gpmc.msc). - ## Troubleshooting - Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + +3. Right-click **Group Policy object** and select **New**. + +4. Type *Multifactor Unlock* in the name box and click **OK**. + +5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. + +6. In the navigation pane, expand **Policies** under **Computer Configuration**. + +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. + + ![Group Policy Editor](images/multifactorUnlock/gpme.png) + +8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. + + ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png) + +9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). + +10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider). + +11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. + +## Troubleshooting +Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. ### Events diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 01dffaef6d..d0857ccd72 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 03/05/2020 +ms.date: 01/12/2021 --- # Windows Hello biometrics in the enterprise @@ -53,7 +53,7 @@ The biometric data used to support Windows Hello is stored on the local device o ## Has Microsoft set any device requirements for Windows Hello? We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm. +- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. - **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. @@ -81,6 +81,10 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% +> [!NOTE] +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. + + ## Related topics - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 4486823bc5..22d05b8312 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services @@ -39,17 +39,19 @@ A new Active Directory Federation Services farm should have a minimum of two fed Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. > [!NOTE] ->For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > -> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". +> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. -> 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. -> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. -> 7. Restart the ADFS service. -> 8. On the client: Restart the client. User should be prompted to provision WHFB. -> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. +> 4. Launch PowerShell as an administrator. +> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +> ```PowerShell +> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> ``` +> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. +> 7. Restart the AD FS service. +> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. ## Update Windows Server 2016 @@ -101,7 +103,7 @@ A server authentication certificate should appear in the computer’s Personal c The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments: - Device registration -- Key registration +- Key registration - Certificate registration authority (certificate trust deployments) >[!IMPORTANT] @@ -215,7 +217,6 @@ Sign-in the federation server with _domain administrator_ equivalent credentials 12. When the process completes, click **Close**. 13. Do not restart the AD FS server. You will do this later. - ### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group > [!NOTE] @@ -224,6 +225,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. 3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. @@ -240,9 +242,10 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva Key Registration stores the Windows Hello for Business public key in Active Directory. With on-premises deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + 1. Open **Active Directory Users and Computers**. 2. Right-click your domain name from the navigation pane and click **Properties**. 3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). @@ -251,11 +254,12 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 6. In the **Applies to** list box, select **Descendant User objects**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. +9. Click **OK** three times to complete the task. ## Configure the Device Registration Service Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. + 1. Open the **AD FS management** console. 2. In the navigation pane, expand **Service**. Click **Device Registration**. 3. In the details pane, click **Configure Device Registration**. @@ -296,6 +300,7 @@ The registration authority template you configure depends on the AD FS service c >Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. #### Windows 2012 or later domain controllers + Sign-in a certificate authority or management workstations with _domain administrator_ equivalent credentials. 1. Open the **Certificate Authority Management** console. @@ -318,6 +323,7 @@ Sign-in a certificate authority or management workstations with _domain administ #### Windows 2008 or 2008R2 domain controllers Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. @@ -326,7 +332,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 10. Close the console. ### Configure the Windows Hello for Business Authentication Certificate template @@ -334,27 +340,29 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. Sign-in a certificate authority or management workstations with _domain administrator equivalent_ credentials. + 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. > [!NOTE] > If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. #### Mark the template as the Windows Hello Sign-in template Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials. + 1. Open an elevated command prompt. 2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`. @@ -364,20 +372,21 @@ Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administra ### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. 2. Expand the parent node from the navigation pane. 3. Click **Certificate Templates** in the navigation pane. 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. 5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Authentication** certificate template using step 5. +6. Publish the **WHFB Authentication** certificate template using step 5. 7. Close the console. ### Configure the Registration Authority -Sign-in the AD FS server with domain administrator equivalent credentials. +Sign-in the AD FS server with domain administrator equivalent credentials. 1. Open a **Windows PowerShell** prompt. -2. Type the following command +2. Type the following command ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication @@ -392,6 +401,7 @@ Active Directory Federation Server used for Windows Hello for Business certifica Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. ### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service + > [!NOTE] > Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN). @@ -428,7 +438,7 @@ Each server you add to the AD FS farm must have a proper server authentication c ### Install Additional Servers -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. ## Load Balance AD FS Federation Servers @@ -437,6 +447,7 @@ Many environments load balance using hardware devices. Environments without har ### Install Network Load Balancing Feature on AD FS Servers Sign-in the federation server with _Enterprise Admin_ equivalent credentials. + 1. Start **Server Manager**. Click **Local Server** in the navigation pane. 2. Click **Manage** and then click **Add Roles and Features**. 3. Click **Next** On the **Before you begin** page. @@ -444,7 +455,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation. +8. Click **Install** to start the feature installation. ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -452,44 +463,47 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. Sign-in a node of the federation farm with _Admin_ equivalent credentials. -1. Open **Network Load Balancing Manager** from **Administrative Tools**. + +1. Open **Network Load Balancing Manager** from **Administrative Tools**. ![NLB Manager user interface](images/hello-nlb-manager.png) 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. -3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. +3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. -6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. +6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) -7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. +7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. -9. In Port Rules, click Edit to modify the default port rules to use port 443. +9. In Port Rules, click Edit to modify the default port rules to use port 443. ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) ### Additional AD FS Servers 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. -2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. +2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) ## Configure DNS for Device Registration Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. + 1. Open the **DNS Management** console. 2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. 4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. +5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. 6. Close the DNS Management console. ## Configure the Intranet Zone to include the federation service -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. ### Create an Intranet Zone Group Policy Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials: + 1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 3. Right-click **Group Policy object** and select **New**. @@ -556,8 +570,8 @@ Each file in this folder represents a certificate in the service account’s Per For detailed information about the certificate, use `Certutil -q -v ` . - ## Follow the Windows Hello for Business on premises certificate trust deployment guide + 1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index f3f064b1d1..95b07dfe0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Deployment Guide +title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 @@ -13,28 +13,35 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/29/2018 +ms.date: 01/21/2021 ms.reviewer: --- -# Windows Hello for Business Deployment Guide +# Windows Hello for Business Deployment Overview **Applies to** -- Windows 10, version 1703 or later + +- Windows 10, version 1703 or later Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. -This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment. +This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. + +Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. + +> [!NOTE] +> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model. ## Assumptions -This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: -* A well-connected, working network -* Internet access -* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning -* Proper name resolution, both internal and external names -* Active Directory and an adequate number of domain controllers per site to support authentication -* Active Directory Certificate Services 2012 or later -* One or more workstation computers running Windows 10, version 1703 +This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: + +- A well-connected, working network +- Internet access +- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning +- Proper name resolution, both internal and external names +- Active Directory and an adequate number of domain controllers per site to support authentication +- Active Directory Certificate Services 2012 or later +- One or more workstation computers running Windows 10, version 1703 If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. @@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. -The trust model determines how you want users to authenticate to the on-premises Active Directory: -* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. -* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. -* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. +The trust model determines how you want users to authenticate to the on-premises Active Directory: + +- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. +- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. +- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). Following are the various deployment guides and models included in this topic: + - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md new file mode 100644 index 0000000000..178932ec34 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -0,0 +1,187 @@ +--- +title: Windows Hello for Business Deployment Known Issues +description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues +keywords: identity, PIN, biometric, Hello, passport +params: siblings_only +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +audience: ITPro +author: mapalko +ms.author: mapalko +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 01/14/2021 +ms.reviewer: +--- +# Windows Hello for Business Known Deployment Issues + +The content of this article is to help troubleshoot and workaround known deployment issues for Windows Hello for Business. Each issue below will describe the applicable deployment type Windows versions. + +## Hybrid Key Trust Logon Broken Due to User Public Key Deletion + +Applies to: + +- Hybrid key trust deployments +- Windows Server 2016, builds 14393.3930 to 14393.4048 +- Windows Server 2019, builds 17763.1457 to 17763.1613 + +In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Azure AD Connect delta sync cycle. + +### Identifying User Public Key Deletion Issue + +After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key will be written to the msDS-KeyCredentialLink attribute of the user object. + +Before the user's Windows Hello for Business key is synced, sign-in's with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* After the sync is successful, the user should be able to login and unlock with their PIN or enrolled biometrics. + +In environments impacted with this issue, after the first sign-in with Windows Hello for Business after provisioning is completed, the next sign-in attempt will fail. In environments where domain controllers are running a mix of builds, only some may be impacted by this issue and subsequent logon attempts may be sent different domain controllers. This may result in the sign-in failures appearing to be intermittent. + +After the initial logon attempt, the user's Windows Hello for Business public key is being deleted from the msDS-KeyCredentialLink attribute. This can be verified by querying a user's msDS-KeyCredentialLink attribute before and after sign-in. The msDS-KeyCredentialLink can be queried in AD using [Get-ADUser](https://docs.microsoft.com/powershell/module/addsadministration/get-aduser) and specifying *msds-keycredentiallink* for the *-Properties* parameter. + +### Resolving User Public Key Deletion Issue + +To resolve this behavior, upgrade Windows Server 2016 and 2019 domain controllers to with the latest patches. For Windows Server 2016, this behavior is fixed in build 14393.4104 ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, this behavior is fixed in build 17763.1637 ([KB4592440](https://support.microsoft.com/help/4592440)). + +## Azure AD Joined Device Access to On-Premises Resources Using Key Trust and Third-Party Certificate Authority (CA) + +Applies to: + +- Azure AD joined key trust deployments +- Third-party certificate authority (CA) issuing domain controller certificates + +Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. + +For more information, read [Guidelines for enabling smart card logon with third-party certification authorities]( +https://docs.microsoft.com/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). + +### Identifying On-premises Resource Access Issues with Third-Party CAs + +This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information: + + Log Name: Microsoft-Windows-Kerberos/Operational + Source: Microsoft-Windows-Security-Kerberos + Event ID: 107 + GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} + Task Category: None + Level: Error + Keywords: + User: SYSTEM + Description: + + The Kerberos client received a KDC certificate that does not have a matched domain name. + + Expected Domain Name: ad.contoso.com + Error Code: 0xC000006D + +### Resolving On-premises Resource Access Issue with Third-Party CAs + +To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name). +Example Subject: CN=DC1 OU=Domain Controller, DC=ad, DC=contoso, DC=com + +Alternatively, you can set the subject alternative name (SAN) of the domain controller certificate to contain the server object's fully qualified domain name and the NETBIOS name of the domain. +Example Subject Alternative Name: +dns=dc1.ad.contoso.com +dns=ad.contoso.com +dns=ad + +## Key Trust Authentication Broken for Windows Server 2019 + +Applies to: + +- Windows Server 2019 +- Hybrid key trust deployments +- On-premises key trust deployments + +Domain controllers running early versions of Windows Server 2019 have an issue that prevents key trust authentication from working properly. Networks traces report KDC_ERR_CLIENT_NAME_MISMATCH. + +### Identifying Server 2019 Key Trust Authentication Issue + +On the client, authentication with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* + +This error is usually presented on hybrid Azure AD joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring. + +The other indicator of this failure case can be identified using network traces. If network traces are captured for a key trust sign-in event, the traces will show kerberos failing with the error KDC_ERR_CLIENT_NAME_MISMATCH. + +### Resolving Server 2019 Key Trust Authentication Issue + +This issue was fixed in Windows Server 2019, build 17763.316 ([KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044)). Upgrade all Windows Server 2019 domain controllers to Windows Server 2019, build 17763.316 or newer to resolve this behavior. + +## Certificate Trust Provisioning with AD FS Broken on Windows Server 2019 + +Applies to: + +- Windows Server 2019 +- Hybrid certificate trust deployments +- On-premises certificate trust deployments + +AD FS running on Windows Server 2019 fails to complete device authentication properly due to an invalid check of incoming scopes in the request. Device authentication to AD FS is a requirement for Windows Hello for Business to enroll a certificate using AD FS. The client will block Windows Hello for Business provisioning until this authentication is successful. + +### Identifying Certificate Trust with AD FS 2019 Enrollment Issue + +The provisioning experience for Windows Hello for Business will launch if a set of prerequisite checks done by the client are successful. The result of the provisioningAdmin checks is available in event logs under Microsoft-Windows-User Device Registration. If provisioning is blocked because device authentication has not successfully occurred, there will be an event ID 362 in the logs that states that *User has successfully authenticated to the enterprise STS: No*. + + Log Name: Microsoft-Windows-User Device Registration/Admin + Source: Microsoft-Windows-User Device Registration + Date: + Event ID: 362 + Task Category: None + Level: Warning + Keywords: + User: + Computer: + Description: + Windows Hello for Business provisioning will not be launched. + Device is AAD joined ( AADJ or DJ++ ): Yes + User has logged on with AAD credentials: Yes + Windows Hello for Business policy is enabled: Yes + Windows Hello for Business post-logon provisioning is enabled: Yes + Local computer meets Windows hello for business hardware requirements: Yes + User is not connected to the machine via Remote Desktop: Yes + User certificate for on premise auth policy is enabled: Yes + Enterprise user logon certificate enrollment endpoint is ready: Not Tested + Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) + User has successfully authenticated to the enterprise STS: No + Certificate enrollment method: enrollment authority + See https://go.microsoft.com/fwlink/?linkid=832647 for more details. + +If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration. + +If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs': + + Log Name: AD FS/Admin + Source: AD FS + Date: + Event ID: 1021 + Task Category: None + Level: Error + Keywords: AD FS + User: + Computer: + Description: + Encountered error during OAuth token request. + Additional Data + Exception details: + Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'. + at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) + at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore() + +### Resolving Certificate Trust with AD FS 2019 Enrollment Issue + +This issue is fixed in Windows Server, version 1903 and later. For Windows Server 2019, this issue can be remediated by adding the ugs scope manually. + +1. Launch AD FS management console. Browse to "Services > Scope Descriptions". +2. Right click "Scope Descriptions" and select "Add Scope Description". +3. Under name type "ugs" and Click Apply > OK. +4. Launch PowerShell as an administrator. +5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": + +``` PowerShell +(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +``` + +6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. +7. Restart the AD FS service. +8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 01f18214de..b7bc415c06 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -68,7 +68,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

-or-

Token was not found in the Authorization header.

-or-

Failed to read one or more objects.

-or-

The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. | 0x801C03EE | Attestation failed. | Sign out and then sign in again. | | 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | -| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). +| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address. | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md deleted file mode 100644 index b96b25c8f4..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ /dev/null @@ -1,171 +0,0 @@ ---- -title: Windows Hello for Business Frequently Asked Questions -description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: ---- -# Windows Hello for Business Frequently Asked Questions - -**Applies to** -- Windows 10 - -## What about virtual smart cards? -Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. - -## What about convenience PIN? -Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. - -## Can I use Windows Hello for Business key trust and RDP? -RDP currently does not support using key based authentication and self signed certificates as supplied credentials. RDP with supplied credentials Windows Hello for Business is currently only supported with certificate based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). - -## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager? -Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings). - -## How many users can enroll for Windows Hello for Business on a single Windows 10 computer? -The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. - -## How can a PIN be more secure than a password? -When using Windows Hello for Business, the PIN is not a symmetric key where is the password is a symmetric key. With passwords, there is a server that has some representation of the password. With Windows Hello for Business, the PIN is user provided entropy used to load the private key in the TPM. The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM protected key, and the TPM that generated that key to successfully have access to the private key. - -The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attackers continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - -## Why is the Key Admins group missing, I have Windows Server 2016 domain controller(s)? -The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. - -## Can I use a convenience PIN with Azure AD? -It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It is only supported for on-premises Domain Joined users and local account users. - -## Can I use an external camera when my laptop is closed or docked? -No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. - -## Why does authentication fail immediately after provisioning Hybrid Key Trust? -In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. - -## What is the password-less strategy? -Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. - -[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy) - -## What is the user experience for Windows Hello for Business? -The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. - -[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) - -## What happens when my user forgets their PIN? -If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. - -[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) - -For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. - -## What URLs do I need to allow for a hybrid deployment? -Communicating with Azure Active Directory uses the following URLs: -- enterpriseregistration.windows.net -- login.microsoftonline.com -- login.windows.net -- account.live.com - -If your environment uses Microsoft Intune, you need these additional URLs: -- enrollment.manage.microsoft.com -- portal.manage.microsoft.com - -## What is the difference between non-destructive and destructive PIN reset? -Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](hello-feature-pin-reset.md) page for more information. - -Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - -## Which is better or more secure: Key trust or Certificate trust? -The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: -- Required domain controllers -- Issuing end entity certificates - -The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed). - -The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority. - -## Do I need Windows Server 2016 domain controllers? -There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment. - -## What attributes are synchronized by Azure AD Connect with Windows Hello for Business? -Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. - -## Is Windows Hello for Business multifactor authentication? -Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". - -## What are the biometric requirements for Windows Hello for Business? -Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. - -## Can I use both a PIN and biometrics to unlock my device? -Starting in Windows 10, version 1709, you can use multi-factor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](feature-multifactor-unlock.md). - -## What is the difference between Windows Hello and Windows Hello for Business? -Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. - -## Why can't I enroll biometrics for my local built-in Administrator? -Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint). - -## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? -No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory. - -## Does Windows Hello for Business prevent the use of simple PINs? -Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero'). -So, for example: -* The PIN 1111 has a constant delta of (0,0,0), so it is not allowed -* The PIN 1234 has a constant delta of (1,1,1), so it is not allowed -* The PIN 1357 has a constant delta of (2,2,2), so it is not allowed -* The PIN 9630 has a constant delta of (7,7,7), so it is not allowed -* The PIN 1593 has a constant delta of (4,4,4), so it is not allowed -* The PIN 7036 has a constant delta of (3,3,3), so it is not allowed -* The PIN 1231 does not have a constant delta (1,1,8), so it is allowed -* The PIN 1872 does not have a constant delta (7,9,5), so it is allowed - -This prevents repeating numbers, sequential numbers, and simple patterns. -It always results in a list of 100 disallowed PINs (independent of the PIN length). -This algorithm does not apply to alphanumeric PINs. - -## How does PIN caching work with Windows Hello for Business? - -Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. - -Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN. - -The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. - -## Can I disable the PIN while using Windows Hello for Business? -No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics. - -## How are keys protected? -Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software. - -Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register). - -## Can Windows Hello for Business work in air-gapped environments? -Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require Internet connectivity to achieve an air-gapped Windows Hello for Business deployment. - -## Can I use third-party authentication providers with Windows Hello for Business? -Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). - -## Does Windows Hello for Business work with third party federation servers? -Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - -| Protocol | Description | -| :---: | :--- | -| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | -| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | -| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | -| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. | - -## Does Windows Hello for Business work with Mac and Linux clients? -Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml new file mode 100644 index 0000000000..ae0af27fe6 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -0,0 +1,222 @@ +### YamlMime:FAQ +metadata: + title: Windows Hello for Business Frequently Asked Questions (FAQ) + description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. + keywords: identity, PIN, biometric, Hello, passport + ms.prod: w10 + ms.mktglfcycl: deploy + ms.sitesec: library + ms.pagetype: security, mobile + audience: ITPro + author: mapalko + ms.author: mapalko + manager: dansimp + ms.collection: M365-identity-device-management + ms.topic: article + localizationpriority: medium + ms.date: 01/14/2021 + ms.reviewer: + +title: Windows Hello for Business Frequently Asked Questions (FAQ) +summary: | + Applies to: Windows 10 + + +sections: + - name: Ignored + questions: + - question: What about virtual smart cards? + answer: | + Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. + + - question: What about convenience PIN? + answer: | + Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. + + - question: Can I use Windows Hello for Business key trust and RDP? + answer: | + Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard). + + - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? + answer: | + Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings). + + - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? + answer: | + The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. + + - question: How can a PIN be more secure than a password? + answer: | + When using Windows Hello for Business, the PIN is not a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. + + The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. + + - question: How does Windows Hello for Business work with Azure AD registered devices? + answer: | + On Azure AD registered devices, a user will be asked to provision a Windows Hello for Business key if the feature is enabled by mobile device management policy. If the user has an existing Windows Hello container for use with their local or Microsoft connected account, the Windows Hello for Business key will be enrolled in their existing container and will be protected using their exiting gestures. + + If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. + + It is possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, login with the convenience PIN will no longer work. This configuration is not supported by Windows Hello for Business. + + For more information please read [Azure AD registered devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register). + + - question: I have Windows Server 2016 domain controller(s), so why is the Key Admins group missing? + answer: | + The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. + + - question: Can I use a convenience PIN with Azure Active Directory? + answer: | + It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. + + - question: Can I use an external camera when my laptop is closed or docked? + answer: | + No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. + + - question: Why does authentication fail immediately after provisioning hybrid key trust? + answer: | + In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. + + - question: What is the password-less strategy? + answer: | + Watch Principal Program Manager Karanbir Singh's **Microsoft's guide for going password-less** Ignite 2017 presentation. + + [Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy) + + - question: What is the user experience for Windows Hello for Business? + answer: | + The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. + + [Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) + + - question: What happens when a user forgets their PIN? + answer: | + If the user can sign-in with a password, they can reset their PIN by selecting the "I forgot my PIN" link in Settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by selecting the "I forgot my PIN" link on the PIN credential provider. + + [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) + + For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. + + - question: What URLs do I need to allow for a hybrid deployment? + answer: | + Communicating with Azure Active Directory uses the following URLs: + - enterpriseregistration.windows.net + - login.microsoftonline.com + - login.windows.net + - account.live.com + - accountalt.azureedge.net + - secure.aadcdn.microsoftonline-p.com + + If your environment uses Microsoft Intune, you need these additional URLs: + - enrollment.manage.microsoft.com + - portal.manage.microsoft.com + + - question: What's the difference between non-destructive and destructive PIN reset? + answer: | + Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once onboarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). + + Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. + + - question: | + Which is better or more secure: key trust or certificate trust? + answer: | + The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: + - Required domain controllers + - Issuing end entity certificates + + The **key trust** model authenticates to Active Directory by using a raw key. Windows Server 2016 domain controllers enable this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed). + + The **certificate trust** model authenticates to Active Directory by using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to users, but you don't need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing certificate authority. + + - question: Do I need Windows Server 2016 domain controllers? + answer: | + There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you've deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment. + + - question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business? + answer: | + Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. + + - question: Is Windows Hello for Business multi-factor authentication? + answer: | + Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". + + - question: What are the biometric requirements for Windows Hello for Business? + answer: | + Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. + + - question: Can I use both a PIN and biometrics to unlock my device? + answer: | + Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an additional factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). + + - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication? + answer: | + Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. + + - question: What's the difference between Windows Hello and Windows Hello for Business? + answer: | + Windows Hello represents the biometric framework provided in Windows 10. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. + + - question: Why can't I enroll biometrics for my local, built-in administrator? + answer: | + Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint). + + - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? + answer: | + No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. + + - question: Does Windows Hello for Business prevent the use of simple PINs? + answer: | + Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero'). + So, for example: + + - The PIN 1111 has a constant delta of (0,0,0), so it is not allowed + - The PIN 1234 has a constant delta of (1,1,1), so it is not allowed + - The PIN 1357 has a constant delta of (2,2,2), so it is not allowed + - The PIN 9630 has a constant delta of (7,7,7), so it is not allowed + - The PIN 1593 has a constant delta of (4,4,4), so it is not allowed + - The PIN 7036 has a constant delta of (3,3,3), so it is not allowed + - The PIN 1231 does not have a constant delta (1,1,8), so it is allowed + - The PIN 1872 does not have a constant delta (7,9,5), so it is allowed + + This prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm does not apply to alphanumeric PINs. + + - question: How does PIN caching work with Windows Hello for Business? + answer: | + Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. + + Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN. + + The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. + + - question: Can I disable the PIN while using Windows Hello for Business? + answer: | + No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. + + - question: How are keys protected? + answer: | + Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business do not require a TPM. Administrators can choose to allow key operations in software. + + Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register). + + - question: Can Windows Hello for Business work in air-gapped environments? + answer: | + Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require internet connectivity to achieve an air-gapped Windows Hello for Business deployment. + + - question: Can I use third-party authentication providers with Windows Hello for Business? + answer: | + Yes, if you're using federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). + + - question: Does Windows Hello for Business work with third-party federation servers? + answer: | + Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

+ + | Protocol | Description | + | :---: | :--- | + | [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | + | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | + | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | + | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | + + - question: Does Windows Hello for Business work with Mac and Linux clients? + answer: | + Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 73e734e99b..470d856d45 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -32,7 +32,7 @@ In a mobile-first, cloud-first world, Azure Active Directory enables single sign To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access. > [!NOTE] -> For more details about the way Windows Hello for Business interacts with Azure Multi Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032). +> For more details about the way Windows Hello for Business interacts with Azure AD Multi-Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032). Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index f6a0ebc776..2a553e3421 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 09/09/2019 +ms.date: 12/22/2020 ms.reviewer: --- @@ -45,47 +45,36 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. -![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) > [!NOTE] > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. - -![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) - 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. -![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) + ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) ### Configure Windows devices to use PIN reset using Group Policy You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. -2. Edit the Group Policy object from step 1. -3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. +2. Edit the Group Policy object from Step 1. +3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. 4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. -### Configure Windows devices to use PIN reset using Microsoft Intune - -To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): - #### Create a PIN Reset Device configuration profile using Microsoft Intune -1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. -2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.
+1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. +2. Click **Endpoint Security** > **Account Protection** > **Properties**. +3. Set **Enable PIN recovery** to **Yes**. - ``` - dsregcmd /status | findstr -snip "tenantid" - ``` +> [!NOTE] +> You can also setup PIN recovery using configuration profiles. +> 1. Sign in to Endpoint Manager. +> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. +> 3. Set **Enable PIN recovery** to **Yes**. -1. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**. -1. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list. -1. In the **Custom OMA-URI Settings** blade, Click **Add**. -1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2. -1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list. -1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. - #### Assign the PIN Reset Device configuration profile using Microsoft Intune 1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. @@ -120,7 +109,9 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 3. Follow the instructions provided by the provisioning process 4. When finished, unlock your desktop using your newly created PIN. ->[!NOTE] +You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations). + +> [!NOTE] > Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md deleted file mode 100644 index d35d4dea64..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Windows Hello for Business Features -description: Consider additional features you can use after your organization deploys Windows Hello for Business. -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -ms.reviewer: -keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 11/27/2019 ---- -# Windows Hello for Business Features - -**Applies to:** - -- Windows 10 - -Consider these additional features you can use after your organization deploys Windows Hello for Business. - -## Conditional access - -Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md). - -## Dynamic lock - -Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md). - -## PIN reset - -Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md). - -## Dual Enrollment - -This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md). - -## Remote Desktop - -Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md). - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md deleted file mode 100644 index 0e03beb9e3..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: How Windows Hello for Business works - Technical Deep Dive -description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services. -keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: ---- -# Technical Deep Dive - -**Applies to:** -- Windows 10 - -Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories: -- [Registration](#registration) -- [Provisioning](#provisioning) -- [Authentication](#authentication) - -## Registration - -Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). - -[How Device Registration Works](hello-how-it-works-device-registration.md) - - -## Provisioning - -Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page. - -[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md) - -## Authentication - -Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. - -[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 72cba7a12e..cf3fb265d2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: - IT departments to manage work-owned devices from a central location. - Users to sign in to their devices with their Active Directory work or school accounts. -Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them. +Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them. If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 528c1b6fe8..c9844c3d80 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -19,29 +19,46 @@ ms.reviewer: **Applies to** -- Windows 10 +- Windows 10 -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] ## Technical Deep Dive -Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business. +Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work. +### Device Registration + +Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). + +For more information read [how device registration works](hello-how-it-works-device-registration.md). + +### Provisioning + +Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] + +For more information read [how provisioning works](hello-how-it-works-provisioning.md). + +### Authentication + +With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. + > [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] -- [Technology and Terminology](hello-how-it-works-technology.md) -- [Device Registration](hello-how-it-works-device-registration.md) -- [Provisioning](hello-how-it-works-provisioning.md) -- [Authentication](hello-how-it-works-authentication.md) +For more information read [how authentication works](hello-how-it-works-authentication.md). ## Related topics +- [Technology and Terminology](hello-how-it-works-technology.md) - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index cd9f264b8a..d9ccb2db53 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -13,12 +13,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business **Applies to** + - Windows 10 - Azure Active Directory joined - Hybrid Deployment @@ -63,6 +64,7 @@ If your CRL distribution point does not list an HTTP distribution point, then yo > If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. ### Windows Server 2016 Domain Controllers + If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place. The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can simply ignore the Windows Server 2016 domain controller requirement. @@ -73,20 +75,20 @@ Certificate authorities write CRL distribution points in certificates as they ar #### Why does Windows need to validate the domain controller certificate? -Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. - Use the **Kerberos Authentication certificate template** instead of any other older template. -- The domain controller's certificate has the **KDC Authentication** enhanced key usage. +- The domain controller's certificate has the **KDC Authentication** enhanced key usage (EKU). - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. - The domain controller's certificate's signature hash algorithm is **sha256**. - The domain controller's certificate's public key is **RSA (2048 Bits)**. +Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) > [!Tip] > If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. - ## Configuring a CRL Distribution Point for an issuing certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 1df6239643..1c550a85f6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,7 +1,7 @@ --- title: Using Certificates for AADJ On-premises Single-sign On single sign-on description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps. -keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, +keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,11 +14,12 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +ms.reviewer: --- + # Using Certificates for AADJ On-premises Single-sign On -**Applies to** +**Applies to:** - Windows 10 - Azure Active Directory joined - Hybrid Deployment @@ -27,7 +28,7 @@ ms.reviewer: If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: - [Prepare Azure AD Connect](#prepare-azure-ad-connect) @@ -45,7 +46,7 @@ You need to install and configure additional infrastructure to provide Azure AD - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role ### High Availaibilty -The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. +The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -55,17 +56,17 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u - Encryption - Signature and Encryption -If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates. +If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements -All communication occurs securely over port 443. +All communication occurs securely over port 443. ## Prepare Azure AD Connect Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. -To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes. +To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify AAD Connect version Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. @@ -100,8 +101,8 @@ Sign-in to a domain controller or management workstation with access equivalent Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. -2. Expand the domain node from the navigation pane. -3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. +2. Expand the domain node from the navigation pane. +3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] @@ -118,10 +119,10 @@ Sign-in to a domain controller or management workstation with access equivalent 4. Click **Finish**. > [!IMPORTANT] -> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. +> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object -The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy. +The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -135,10 +136,10 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. -11. Close the **Group Policy Management Editor**. +11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object -The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. +The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -159,7 +160,7 @@ Sign-in to a domain controller or management workstation with access equivalent 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. > [!IMPORTANT] -> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. +> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. ## Prepare Active Directory Certificate Authority You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will @@ -177,46 +178,52 @@ When deploying certificates using Microsoft Intune, you have the option of provi Sign-in to the issuing certificate authority with access equivalent to _local administrator_. -1. Open and elevated command prompt. Type the command +1. Open an elevated command prompt and type the following command: ``` certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` -2. Restart the **Active Directory Certificate Services** service. +2. Restart the **Active Directory Certificate Services** service. ### Create an NDES-Intune authentication certificate template -NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. +NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. -4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -5. On the **Subject** tab, select **Supply in the request**. -6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. -7. On the **Security** tab, click **Add**. -8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. -9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Click on the **Apply** to save changes and close the console. +4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. + +5. On the **Subject** tab, select **Supply in the request**. +6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. +7. On the **Security** tab, click **Add**. +8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. +9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template -During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. +During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. + +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Subject** tab, select **Supply in the request**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. Close the console. ### Publish certificate templates @@ -231,7 +238,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 2. Expand the parent node from the navigation pane. 3. Click **Certificate Templates** in the navigation pane. 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 6. Close the console. ## Install and Configure the NDES Role @@ -250,10 +257,10 @@ Install the Network Device Enrollment Service role on a computer other than the Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open **Server Manager** on the NDES server. -2. Click **Manage**. Click **Add Roles and Features**. +2. Click **Manage**. Click **Add Roles and Features**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png) -4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. +4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png) Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png) @@ -270,8 +277,8 @@ Sign-in to the certificate authority or management workstations with an _Enterpr * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. - > [!Important] - > The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ + > [!IMPORTANT] + > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png) ### Configure the NDES service account @@ -280,19 +287,23 @@ This task adds the NDES service account to the local IIS_USRS group. The task a #### Add the NDES service account to the IIS_USRS group Sign-in the NDES server with access equivalent to _local administrator_. -1. Start the **Local Users and Groups** management console (lusrmgr.msc). +1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group. 3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box. 4. Close the management console. #### Register a Service Principal Name on the NDES Service account -Sign-in the NDES server with a access equivalent to _Domain Admins_. +Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. -2. Type the following command to register the service principal name
-```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```
-where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following.
-```setspn -s http/ndes.corp.contoso.com contoso\ndessvc``` +2. Type the following command to register the service principal name + ``` + setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] + ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: + ``` + setspn -s http/ndes.corp.contoso.com contoso\ndessvc + ``` > [!NOTE] > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs. @@ -306,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. -![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) + ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. -![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) -7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**. + ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) +7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. -![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -325,63 +336,67 @@ This task configures the NDES role and the certificate templates the NDES server Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. > [!NOTE] -> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. +> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. ![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. 2. On the **Credentials** page, click **Next**. -![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) + ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** -![NDES Role Services](images/aadjcert/ndesconfig02.png) -4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. -![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) + ![NDES Role Services](images/aadjcert/ndesconfig02.png) +4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. + ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. -![NDES CA selection](images/aadjcert/ndesconfig04.png) + ![NDES CA selection](images/aadjcert/ndesconfig04.png) 6. On the **RA Information**, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. -![NDES Confirmation](images/aadjcert/ndesconfig05.png) + ![NDES Confirmation](images/aadjcert/ndesconfig05.png) 8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES -A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. +A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. * Digital Signature * Key Encipherment * Key Encipherment, Digital Signature -Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name +Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names. -|SCEP Profile Key usage| NDES Registry Value Name| -|:----------:|:-----------------------:| -|Digital Signature|SignatureTemplate| -|Key Encipherment|EncryptionTemplate| -|Key Encipherment
Digital Signature|GeneralPurposeTemplate| +| SCEP Profile Key usage| NDES Registry Value Name | +| :-------------------: | :----------------------: | +| Digital Signature | SignatureTemplate | +| Key Encipherment | EncryptionTemplate | +| Key Encipherment
Digital Signature | GeneralPurposeTemplate | -Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. +Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. - If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. +If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. -3. Type the following command
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```
-where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```
+3. Type the following command: + ``` + reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] + ``` + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: + ``` + reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication + ``` 4. Type **Y** when the command asks for permission to overwrite the existing value. 5. Close the command prompt. > [!IMPORTANT] -> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc). +> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`). ### Create a Web Application Proxy for the internal NDES URL. Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. -Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. +Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. -Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. +Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner. @@ -395,7 +410,7 @@ Sign-in a workstation with access equivalent to a _domain user_. ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. > [!IMPORTANT] - > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. + > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. @@ -412,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. -![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. -![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 6. Click **Save**. @@ -426,18 +441,18 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Configure an app**. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. -6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. -7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). +6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. +7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. -10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. +10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. 11. Click **Add**. 12. Sign-out of the Azure Portal. + > [!IMPORTANT] > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate. - ### Enroll the NDES-Intune Authentication certificate This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server. @@ -449,8 +464,8 @@ Sign-in the NDES server with access equivalent to _local administrators_. 4. Click **Next** on the **Before You Begin** page. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Click **Enroll** @@ -462,44 +477,46 @@ This task configures the Web Server role on the NDES server to use the server au Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. -2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. -![NDES IIS Console](images/aadjcert/ndes-iis-console.png) +2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) 3. Click **Bindings...*** under **Actions**. Click **Add**. -![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) + ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. -![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) -6. Select **http** from the **Site Bindings** list. Click **Remove**. + ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) +6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. -8. Close **Internet Information Services (IIS) Manager**. +8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration This task confirms the TLS configuration for the NDES server. Sign-in the NDES server with access equivalent to _local administrator_. -#### Disable Internet Explorer Enhanced Security Configuration +#### Disable Internet Explorer Enhanced Security Configuration 1. Open **Server Manager**. Click **Local Server** from the navigation pane. 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. 4. Close **Server Manager**. #### Test the NDES web server -1. Open **Internet Explorer**. -2. In the navigation bar, type -```https://[fqdnHostName]/certsrv/mscep/mscep.dll``` -where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. +1. Open **Internet Explorer**. +2. In the navigation bar, type + ``` + https://[fqdnHostName]/certsrv/mscep/mscep.dll + ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. -A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. +A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. ![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png) -Confirm the web site uses the server authentication certificate. +Confirm the web site uses the server authentication certificate. ![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune -You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. +You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. - Configure NDES to support long URLs @@ -510,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. -![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) + ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) 4. Select **Allow unlisted file name extensions**. 5. Select **Allow unlisted verbs**. 6. Select **Allow high-bit characters**. @@ -521,56 +538,58 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. -2. Run the following commands
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
+2. Run the following commands: + ``` + reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 + reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 + ``` 3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector -The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. +The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -### Download Intune Certificate Connector +### Download Intune Certificate Connector Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Azure Portal](https://portal.azure.com/). -2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. -![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png) -3. Select **Device Configuration**, and then select **Certificate Connectors**. -![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png) -4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section. -![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png) -5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. -6. Sign-out of the Azure Portal. +1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. +3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. + ![Intune Certificate Authority](images/aadjcert/profile01.png) +4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. +5. Sign-out of the Microsoft Endpoint Manager admin center. ### Install the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. -3. On the **Microsoft Intune** page, click **Next**. +3. On the **Microsoft Intune** page, click **Next**. ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png) 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 5. On the **Destination Folder** page, click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png) -7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. +7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png) + > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png) - > [!NOTE] - > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder -10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. + > [!NOTE] + > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. + +10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. 1. The **NDES Connector** user interface should be open from the last task. + > [!NOTE] > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. @@ -579,10 +598,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png) - > [!IMPORTANT] - > The user account must have a valid Intune licenese assigned. If the user account does not have a valid Intune license, the sign-in fails. -4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. + > [!IMPORTANT] + > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. + +4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. ### Configure the NDES Connector for certificate revocation (**Optional**) @@ -594,30 +614,34 @@ Sign-in the certificate authority used by the NDES Connector with access equival 1. Start the **Certification Authority** management console. 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. -![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) + ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). -2. Click the **Advanced** tab. Select **Specify a different account username and password**. TYpe the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. -![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) +2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. + ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. -2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+2. Type the following command to confirm the NDES Connector's last connection time is current. + ``` + reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus + ``` 3. Close the command prompt. 4. Open **Internet Explorer**. -5. In the navigation bar, type
-```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
-where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
-A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. -![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) +5. In the navigation bar, type: + ``` + https://[fqdnHostName]/certsrv/mscep/mscep.dll + ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. + A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. + ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -632,54 +656,50 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. 6. Provide a **Group description**, if applicable. 7. Select **Assigned** from the **Membership type** list. -![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) + ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. ### Create a SCEP Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Azure Portal](https://portal.azure.com/). -2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. -3. Select **Device Configuration**, and then click **Profiles**. -4. Select **Create Profile**. - ![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png) -5. Select **Windows 10 and later** from the **Platform** list. -6. Choose **SCEP certificate** from the **Profile** list, and select **Create**. -7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. -8. Next to **Description**, provide a description meaningful for your environment, then select **Next**. -9. Select **User** as a certificate type. -10. Configure **Certificate validity period** to match your organization. +1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Devices**, and then click **Configuration Profiles**. +3. Select **Create Profile**. + ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png) +4. Select **Windows 10 and later** from the **Platform** list. +5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. +6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. +7. Next to **Description**, provide a description meaningful for your environment, then select **Next**. +8. Select **User** as a certificate type. +9. Configure **Certificate validity period** to match your organization. + > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. -11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. -12. Select **Custom** from the **Subject name format** list. -13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. -14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value. -15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. -16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. - ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. -18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. - ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) -19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. -20. Click **Next**. -21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**. +10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. +11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. +12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. +13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. +14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. +15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. +16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. + ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png) +17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. +18. Click **Next**. +19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Azure Portal](https://portal.azure.com/). -2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. -3. Select **Device Configuration**, and then click **Profiles**. -4. Click **WHFB Certificate Enrollment**. -![WHFB Scep Profile landing](images/aadjcert/intunewhfbscepprofile-04.png) -5. Click **Assignments**. -6. In the **Assignments** pane, Click **Include**. Select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. -![WHFB SCEP Profile Assignment](images/aadjcert/intunewhfbscepprofileassignment.png) -7. Select the **AADJ WHFB Certificate Users** group. Click **Select**. -8. Click **Save**. +1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Devices**, and then click **Configuration Profiles**. +3. Click **WHFB Certificate Enrollment**. +4. Select **Properties**, and then click **Edit** next to the **Assignments** section. +5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. + ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png) +6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. +7. Click **Review + Save**, and then **Save**. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. @@ -687,7 +707,7 @@ You have successfully completed the configuration. Add users that need to enrol > [!div class="checklist"] > * Requirements > * Prepare Azure AD Connect -> * Prepare the Network Device Enrollment Services (NDES) Service Acccount +> * Prepare the Network Device Enrollment Services (NDES) Service Account > * Prepare Active Directory Certificate Authority > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index e5664fdeb0..0088ba56ad 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -100,12 +100,12 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h ## Multifactor Authentication Services Windows Hello for Business uses multi-factor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multi-factor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA -Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. +Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. -### Azure Multi-Factor Authentication (MFA) Cloud ### +### Azure AD Multi-Factor Authentication (MFA) Cloud ### > [!IMPORTANT] -> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: -> * Azure Multi-Factor Authentication +> As long as your users have licenses that include Azure AD Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: +> * Azure AD Multi-Factor Authentication > * Azure Active Directory Premium > * Enterprise Mobility + Security > @@ -115,7 +115,7 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. #### Configure Azure MFA Settings #### -Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. +Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure AD Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States #### After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. @@ -126,12 +126,13 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ### Section Review > [!div class="checklist"] -> * Review the overview and uses of Azure Multifactor Authentication. -> * Review your Azure Active Directory subscription for Azure Multifactor Authentication. -> * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multifactor Authentication features and settings. -> * Understand the different User States and their effect on Azure Multifactor Authentication. -> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. + +> * Review the overview and uses of Azure AD Multi-Factor Authentication Authentication. +> * Review your Azure Active Directory subscription for Azure AD Multi-Factor Authentication. +> * Create an Azure AD Multi-Factor Authentication Provider, if necessary. +> * Configure Azure AD Multi-Factor Authentication features and settings. +> * Understand the different User States and their effect on Azure AD Multi-Factor Authentication. +> * Consider using Azure AD Multi-Factor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. > [!div class="nextstepaction"] > [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index e5ebf54b09..81afb0421e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -506,7 +506,7 @@ The following script helps you with the creation of the issuance transform rules #### Configure Device Authentication in AD FS Using an elevated PowerShell command window, configure AD FS policy by executing the following command -`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` +`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` #### Check your configuration For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 8a9763ebcd..cfb8b164f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/20/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Configure Windows Hello for Business: Active Directory Federation Services @@ -65,17 +65,19 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 7. Restart the AD FS server. > [!NOTE] ->For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > > 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. -> 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier. -> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. -> 7. Restart the ADFS service. -> 8. On the client: Restart the client. User should be prompted to provision WHFB. -> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. +> 4. Launch PowerShell as an administrator. +> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +> ```PowerShell +> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> ``` +> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. +> 7. Restart the AD FS service. +> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 8bd8f3e995..2b5e042c13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -13,39 +13,39 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure **Applies to** -- Windows 10, version 1703 or later -- Hybrid Deployment -- Certificate Trust +- Windows 10, version 1703 or later +- Hybrid Deployment +- Certificate Trust -Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. +Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. -All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates. +All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. ## Certificate Templates -This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. +This section has you configure certificate templates on your Windows Server 2012 (or later) Active Directory Certificate Services issuing certificate authority. ### Domain Controller certificate template Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future. -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template. +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template. #### Create a Domain Controller Authentication (Kerberos) Certificate Template Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certification Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. @@ -53,28 +53,28 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. - + 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. #### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. +Many domain controllers may have an existing domain controller certificate. Active Directory Certificate Services provides a default certificate template for domain controllers--the Domain Controller certificate template. Later releases provided a new certificate template--the Domain Controller Authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers (2008 or later). -The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. +The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate based on the Kerberos Authentication certificate template. Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certification Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. @@ -86,31 +86,32 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi 6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template, and click **OK**. 8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. 9. Click **OK** and close the **Certificate Templates** console. -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. +The certificate template is configured to supersede all the certificate templates listed in the superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. +> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail. +> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. ### Enrollment Agent certificate template -Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. +Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts. -Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. +Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. > [!IMPORTANT] -> Follow the procedures below based on the AD FS service account used in your environment. +> Follow the procedures below based on the AD FS service account used in your environment. #### Creating an Enrollment Agent certificate for Group Managed Service Accounts -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +Sign-in to a certificate authority or management workstation with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority Management** console. +1. Open the **Certification Authority Management** console. 2. Right-click **Certificate Templates** and click **Manage**. @@ -123,11 +124,11 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. > [!NOTE] - > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the _Build from this Active Directory information_ option, which will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with _Supply in the request_ to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. +8. On the **Security** tab, click **Add**. 9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. @@ -139,9 +140,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e #### Creating an Enrollment Agent certificate for typical Service Accounts -Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. +Sign-in to a certificate authority or management workstation with *Domain Admin* equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certification Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. @@ -157,17 +158,17 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 10. Close the console. ### Creating Windows Hello for Business authentication certificate template -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. +During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it. -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certification Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. @@ -175,11 +176,11 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. +5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. - + > If you use different template names, you'll need to remember and substitute these names in the relevant portions of the deployment. + 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. @@ -187,7 +188,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box. Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. - + 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. @@ -231,40 +232,39 @@ CertUtil: -dsTemplate command completed successfully." ``` > [!NOTE] -> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. ## Publish Templates ### Publish Certificate Templates to a Certificate Authority -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. +The certificate authority only issues certificates for certificate templates which are published by that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. #### Publish Certificate Templates to the Certificate Authority Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certification Authority** management console. 2. Expand the parent node from the navigation pane. 3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +5. In the **Enable Certificates Templates** window, Ctrl-select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 6. Close the console. - #### Unpublish Superseded Certificate Templates -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. +The certificate authority only issues certificates based on published certificate templates. For defense-in-depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes any pre-published certificate templates from the role installation and any superseded certificate templates. -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. +The newly-created Kerberos authentication-based Domain Controller certificate template supersedes any previous domain controller certificate templates. Therefore, you should unpublish these certificate templates from all issuing certificate authorities. -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. +Sign-in to each certificate authority, or a management workstation with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certification Authority** management console. 2. Expand the parent node from the navigation pane. @@ -274,8 +274,8 @@ Sign-in to the certificate authority or management workstation with _Enterprise 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - ### Section Review + > [!div class="checklist"] > * Domain Controller certificate template > * Configure superseded domain controller certificate templates @@ -285,7 +285,6 @@ Sign-in to the certificate authority or management workstation with _Enterprise > * Publish Certificate templates to certificate authorities > * Unpublish superseded certificate templates > -> > [!div class="step-by-step"] > [< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) > [Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) @@ -295,6 +294,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
## Follow the Windows Hello for Business hybrid certificate trust deployment guide + 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 51e6922080..958991988c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -110,13 +110,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h ## Multifactor Authentication Services Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter -Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. +Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. -### Azure Multi-Factor Authentication (MFA) Cloud +### Azure AD Multi-Factor Authentication (MFA) Cloud > [!IMPORTANT] -> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: -> * Azure Multi-Factor Authentication +> As long as your users have licenses that include Azure AD Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: +> * Azure AD Multi-Factor Authentication > * Azure Active Directory Premium > * Enterprise Mobility + Security > @@ -124,7 +124,7 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co #### Configure Azure MFA Settings -Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. +Review the [Configure Azure AD Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. @@ -135,12 +135,12 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ### Section Review > [!div class="checklist"] -> * Review the overview and uses of Azure Multifactor Authentication. -> * Review your Azure Active Directory subscription for Azure Multifactor Authentication. -> * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multifactor Authentication features and settings. -> * Understand the different User States and their effect on Azure Multifactor Authentication. -> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. +> * Review the overview and uses of Azure AD Multi-Factor Authentication. +> * Review your Azure Active Directory subscription for Azure AD Multi-Factor Authentication. +> * Create an Azure AD Multi-Factor Authentication Provider, if necessary. +> * Configure Azure AD Multi-Factor Authentication features and settings. +> * Understand the different User States and their effect on Azure AD Multi-Factor Authentication. +> * Consider using Azure AD Multi-Factor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. > [!div class="nextstepaction"] > [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index fa3b1d7a97..1a946e82dc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -67,16 +67,15 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). -* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. +* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. * The certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. -* The domain controller certificate must be installed in the local computer's certificate store. +* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki) for details. - > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 87b70bbd2c..c05de0195e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -13,31 +13,31 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure **Applies to** -- Windows 10, version 1703 or later -- Hybrid Deployment -- Key trust +- Windows 10, version 1703 or later +- Hybrid Deployment +- Key trust Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. -All deployments use enterprise issued certificates for domain controllers as a root of trust. +All deployments use enterprise issued certificates for domain controllers as a root of trust. ## Certificate Templates -This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. ### Domain Controller certificate template Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future. By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. @@ -49,10 +49,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. >[!NOTE] @@ -113,13 +113,13 @@ Sign-in to the certificate authority or management workstation with _Enterprise 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. ### Section Review + > [!div class="checklist"] > * Domain Controller certificate template > * Configure superseded domain controller certificate templates > * Publish Certificate templates to certificate authorities > * Unpublish superseded certificate templates -> -> +> s > [!div class="step-by-step"] > [< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) > [Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md) @@ -129,6 +129,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
## Follow the Windows Hello for Business hybrid key trust deployment guide + 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index a5a6d5a9a2..d53a57bff1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,6 +1,6 @@ --- -title: Windows Hello for Business (Windows 10) -description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. +title: Windows Hello for Business Deployment Prerequisite Overview +description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E ms.reviewer: keywords: identity, PIN, biometric, Hello, passport @@ -15,39 +15,25 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 05/05/2018 +ms.date: 1/22/2021 --- -# Windows Hello for Business +# Windows Hello for Business Deployment Prerequisite Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. +This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -Windows Hello addresses the following problems with passwords: - -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). - -> | | | | -> | :---: | :---: | :---: | -> | [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | - -## Prerequisites - -### Cloud Only Deployment +## Cloud Only Deployment * Windows 10, version 1511 or later * Microsoft Azure Account * Azure Active Directory -* Azure Multi-factor authentication +* Azure AD Multi-Factor Authentication * Modern Management (Intune or supported third-party MDM), *optional* * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory -### Hybrid Deployments +## Hybrid Deployments -The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | @@ -75,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a > Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -### On-premises Deployments +## On-premises Deployments The table shows the minimum requirements for each deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index a908e96533..2a2c07e715 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -298,7 +298,13 @@ Sign-in the domain controller or administrative workstation with domain administ 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. 4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. 5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console +6. Right-click the `domain_name` node and select **New Alias (CNAME)**. +7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box. +8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK. +9. Close the DNS Management console. + +> [!NOTE] +> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix. ## Configure the Intranet Zone to include the federation service @@ -342,5 +348,3 @@ Before you continue with the deployment, validate your deployment progress by re 3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - - diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 26a28b9593..8042bad1d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -24,10 +24,10 @@ ms.reviewer: - Key trust -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. +Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 51d246f3f4..1a4dcd1e37 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,12 +1,12 @@ --- -title: Key registration for on-premises deployment of Windows Hello for Business +title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: dansimp audience: ITPro ms.author: dolmont manager: dansimp diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 6377afa5a8..ce54bf0ffb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -19,7 +19,7 @@ ms.reviewer: # Validate and Deploy Multi-factor Authentication (MFA) > [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. **Applies to** diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 18f6f3dbf0..c21280812b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 4/16/2017 +ms.date: 1/20/2021 --- # Manage Windows Hello for Business in your organization @@ -369,9 +369,11 @@ For more information about using the PIN recovery service for PIN reset see [Win Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. -Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. -Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. +Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source. + +All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. >[!NOTE] > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. @@ -382,8 +384,6 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr > >- Use Windows Hello for Business - Enabled >- User certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6 > >The following are configured using device MDM Policy: > @@ -398,8 +398,10 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr > >- Use Windows Hello for Business - Enabled >- Use certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6d +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 ## How to use Windows Hello for Business with Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index ea3430b5dd..57805caf8b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -19,13 +19,15 @@ ms.reviewer: # Planning a Windows Hello for Business Deployment **Applies to** -- Windows 10 + +- Windows 10 Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. -If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). +> [!Note] +>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). ## Using this guide @@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment. There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are: -* Deployment Options -* Client -* Management -* Active Directory -* Public Key Infrastructure -* Cloud + +- Deployment Options +- Client +- Management +- Active Directory +- Public Key Infrastructure +- Cloud ### Baseline Prerequisites @@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza There are three deployment models from which you can choose: cloud only, hybrid, and on-premises. ##### Cloud only + The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure. ##### Hybrid + The hybrid deployment model is for organizations that: -* Are federated with Azure Active Directory -* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect -* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources + +- Are federated with Azure Active Directory +- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect +- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
@@ -106,13 +112,13 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa #### Multifactor authentication > [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure AD Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. -Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). +Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure AD Multi-Factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). > [!NOTE] -> Azure Multi-Factor Authentication is available through: +> Azure AD Multi-Factor Authentication is available through: > * Microsoft Enterprise Agreement > * Open Volume License Program > * Cloud Solution Providers program @@ -154,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional. ## Planning a Deployment @@ -332,7 +338,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png new file mode 100644 index 0000000000..46db47b6f0 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png new file mode 100644 index 0000000000..215b22ec23 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png new file mode 100644 index 0000000000..91dc9f58ba Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png new file mode 100644 index 0000000000..d15801152e Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png new file mode 100644 index 0000000000..fce622e7f7 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png new file mode 100644 index 0000000000..7415de9616 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png new file mode 100644 index 0000000000..970e9f8109 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png new file mode 100644 index 0000000000..9903a59bf5 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png differ diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml new file mode 100644 index 0000000000..4282b8e701 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -0,0 +1,110 @@ +### YamlMime:Landing + +title: Windows Hello for Business documentation +summary: Learn how to manage and deploy Windows Hello for Business. + +metadata: + title: Windows Hello for Business documentation + description: Learn how to manage and deploy Windows Hello for Business. + ms.prod: w10 + ms.topic: landing-page + author: mapalko + manager: dansimp + ms.author: mapalko + ms.date: 01/22/2021 + ms.collection: M365-identity-device-management + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: About Windows Hello For Business + linkLists: + - linkListType: overview + links: + - text: Windows Hello for Business Overview + url: hello-overview.md + - linkListType: concept + links: + - text: Passwordless Strategy + url: passwordless-strategy.md + - text: Why a PIN is better than a password + url: hello-why-pin-is-better-than-password.md + - text: Windows Hello biometrics in the enterprise + url: hello-biometrics-in-enterprise.md + - text: How Windows Hello for Business works + url: hello-how-it-works.md + - linkListType: learn + links: + - text: Technical Deep Dive - Device Registration + url: hello-how-it-works-device-registration.md + - text: Technical Deep Dive - Provisioning + url: hello-how-it-works-provisioning.md + - text: Technical Deep Dive - Authentication + url: hello-how-it-works-authentication.md + - text: Technology and Terminology + url: hello-how-it-works-technology.md + - text: Frequently Asked Questions (FAQ) + url: hello-faq.yml + + # Card + - title: Configure and manage Windows Hello for Business + linkLists: + - linkListType: concept + links: + - text: Windows Hello for Business Deployment Overview + url: hello-deployment-guide.md + - text: Planning a Windows Hello for Business Deployment + url: hello-planning-guide.md + - text: Deployment Prerequisite Overview + url: hello-identity-verification.md + - linkListType: how-to-guide + links: + - text: Hybrid Azure AD Joined Key Trust Deployment + url: hello-hybrid-key-trust.md + - text: Hybrid Azure AD Joined Certificate Trust Deployment + url: hello-hybrid-cert-trust.md + - text: On-premises SSO for Azure AD Joined Devices + url: hello-hybrid-aadj-sso.md + - text: On-premises Key Trust Deployment + url: hello-deployment-key-trust.md + - text: On-premises Certificate Trust Deployment + url: hello-deployment-cert-trust.md + - linkListType: learn + links: + - text: Manage Windows Hello for Business in your organization + url: hello-manage-in-organization.md + - text: Windows Hello and password changes + url: hello-and-password-changes.md + - text: Prepare people to use Windows Hello + url: hello-prepare-people-to-use.md + + # Card + - title: Windows Hello for Business Features + linkLists: + - linkListType: how-to-guide + links: + - text: Conditional Access + url: hello-feature-conditional-access.md + - text: PIN Reset + url: hello-feature-pin-reset.md + - text: Dual Enrollment + url: hello-feature-dual-enrollment.md + - text: Dynamic Lock + url: hello-feature-dynamic-lock.md + - text: Multi-factor Unlock + url: feature-multifactor-unlock.md + - text: Remote Desktop + url: hello-feature-remote-desktop.md + + # Card + - title: Windows Hello for Business Troubleshooting + linkLists: + - linkListType: how-to-guide + links: + - text: Known Deployment Issues + url: hello-deployment-issues.md + - text: Errors During PIN Creation + url: hello-errors-during-pin-creation.md diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index dd1b6b18e0..87e71bc747 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon** +You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon** ![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md deleted file mode 100644 index 8ec19c126f..0000000000 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ /dev/null @@ -1,70 +0,0 @@ -# [Windows Hello for Business](hello-identity-verification.md) - -## [Password-less Strategy](passwordless-strategy.md) - -## [Windows Hello for Business Overview](hello-overview.md) -## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - -## [Windows Hello for Business Features](hello-features.md) -### [Conditional Access](hello-feature-conditional-access.md) -### [Dual Enrollment](hello-feature-dual-enrollment.md) -### [Dynamic Lock](hello-feature-dynamic-lock.md) -### [Multifactor Unlock](feature-multifactor-unlock.md) -### [PIN Reset](hello-feature-pin-reset.md) -### [Remote Desktop](hello-feature-remote-desktop.md) - -## [How Windows Hello for Business works](hello-how-it-works.md) -### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive) -#### [Device Registration](hello-how-it-works-device-registration.md) -#### [Provisioning](hello-how-it-works-provisioning.md) -#### [Authentication](hello-how-it-works-authentication.md) -#### [Technology and Terminology](hello-how-it-works-technology.md) - -## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) - -## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - -## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) - -### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) -#### [Prerequisites](hello-hybrid-key-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-key-new-install.md) -#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) - -### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) -#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-cert-new-install.md) -#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - -### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) -#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) -#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md) - -### [On Premises Key Trust Deployment](hello-deployment-key-trust.md) -#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - -### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - -## [Windows Hello and password changes](hello-and-password-changes.md) -## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - -## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md) -### [Windows Hello for Business Videos](hello-videos.md) - -## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -## [Event ID 300 - Windows Hello successfully created](hello-event-300.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml new file mode 100644 index 0000000000..8a29bb7d81 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -0,0 +1,137 @@ +- name: Windows Hello for Business documentation + href: index.yml +- name: Overview + items: + - name: Windows Hello for Business Overview + href: hello-overview.md +- name: Concepts + expanded: true + items: + - name: Passwordless Strategy + href: passwordless-strategy.md + - name: Why a PIN is better than a password + href: hello-why-pin-is-better-than-password.md + - name: Windows Hello biometrics in the enterprise + href: hello-biometrics-in-enterprise.md + - name: How Windows Hello for Business works + href: hello-how-it-works.md + - name: Technical Deep Dive + items: + - name: Device Registration + href: hello-how-it-works-device-registration.md + - name: Provisioning + href: hello-how-it-works-provisioning.md + - name: Authentication + href: hello-how-it-works-authentication.md +- name: How-to Guides + items: + - name: Windows Hello for Business Deployment Overview + href: hello-deployment-guide.md + - name: Planning a Windows Hello for Business Deployment + href: hello-planning-guide.md + - name: Deployment Prerequisite Overview + href: hello-identity-verification.md + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Deployment Guides + items: + - name: Hybrid Azure AD Joined Key Trust + items: + - name: Hybrid Azure AD Joined Key Trust Deployment + href: hello-hybrid-key-trust.md + - name: Prerequisites + href: hello-hybrid-key-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-key-new-install.md + - name: Configure Directory Synchronization + href: hello-hybrid-key-trust-dirsync.md + - name: Configure Azure Device Registration + href: hello-hybrid-key-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-key-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-key-whfb-provision.md + - name: Hybrid Azure AD Joined Certificate Trust + items: + - name: Hybrid Azure AD Joined Certificate Trust Deployment + href: hello-hybrid-cert-trust.md + - name: Prerequisites + href: hello-hybrid-cert-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-cert-new-install.md + - name: Configure Azure Device Registration + href: hello-hybrid-cert-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-cert-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-cert-whfb-provision.md + - name: On-premises SSO for Azure AD Joined Devices + items: + - name: On-premises SSO for Azure AD Joined Devices Deployment + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + href: hello-hybrid-aadj-sso-base.md + - name: Using Certificates for AADJ On-premises Single-sign On + href: hello-hybrid-aadj-sso-cert.md + - name: On-premises Key Trust + items: + - name: On-premises Key Trust Deployment + href: hello-deployment-key-trust.md + - name: Validate Active Directory Prerequisites + href: hello-key-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-key-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-key-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-key-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-key-trust-policy-settings.md + - name: On-premises Certificate Trust + items: + - name: On-premises Certificate Trust Deployment + href: hello-deployment-cert-trust.md + - name: Validate Active Directory Prerequisites + href: hello-cert-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-cert-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-cert-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-cert-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-cert-trust-policy-settings.md + - name: Managing Windows Hello for Business in your organization + href: hello-manage-in-organization.md + - name: Windows Hello for Business Features + items: + - name: Conditional Access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote Desktop + href: hello-feature-remote-desktop.md + - name: Troubleshooting + items: + - name: Known Deployment Issues + href: hello-deployment-issues.md + - name: Errors During PIN Creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md +- name: Reference + items: + - name: Technology and Terminology + href: hello-how-it-works-technology.md + - name: Frequently Asked Questions (FAQ) + href: hello-faq.yml + - name: Windows Hello for Business videos + href: hello-videos.md diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index 98e0bb9835..dd87cded73 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: danihalfin +author: dansimp ms.author: daniha manager: dansimp ms.collection: M365-identity-device-management @@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | -| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md index 65e353cb81..fc906d9e08 100644 --- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 60dc685e1e..d3fb9810b8 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management @@ -181,7 +181,7 @@ mstsc.exe /remoteGuard ``` > [!NOTE] -> The user must be part of administrators group. +> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer. ## Considerations when using Windows Defender Remote Credential Guard diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 5e5003aa9f..f8baa1b11c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 89ddb7fa8a..bb2559ccf0 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index 997384b9e0..ae671b4ace 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 17564fc13b..3d76ae2b17 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index d905fbf992..dbaa8112f7 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 04e43174e8..50d2b45bb2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 56228dff85..9939c9ec73 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index dd8812970c..fa36cf563f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index a913f4c769..e4548fc317 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 794b8e096c..74fdcc3e8f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 53ebc5b4f6..99defcec30 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 254e57e0e9..10ffd31a84 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -8,7 +8,7 @@ ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index e8d50dc97f..130688534d 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 9c9011d7ad..a95145abaa 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 9cb4e34436..793fe303aa 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management @@ -65,7 +65,7 @@ This policy setting controls the behavior of the elevation prompt for standard u This policy setting controls the behavior of application installation detection for the computer. - **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. +- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Manager should disable this policy setting. In this case, installer detection is unnecessary. ## User Account Control: Only elevate executable files that are signed and validated diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 5e643f7d75..a168874b63 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index f0b0220678..6fb462eb81 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index 34daf7a11e..6810a79d95 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index aa61d00b97..29bb2adede 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index a979d2b781..c37a9a9b29 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 0194ee2c80..d7c394285f 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 0737f18fec..30671f6e4a 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 6b9868b0f0..97ee24eb64 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.author: dansimp ms.localizationpriority: medium ms.date: 02/08/2018 diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 0b6ff85b21..24a4378ebe 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.date: 04/19/2017 ms.reviewer: manager: dansimp diff --git a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png index bf551eabb7..8098b3445e 100644 Binary files a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png and b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png differ diff --git a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png index 94cbb2c5cb..c6437e95d1 100644 Binary files a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png and b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png differ diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 3fe2c08d57..5f4cf0a2b1 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 29c8f5e474..59ffc5f231 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index fc09e68a62..0d608b647c 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.reviewer: @@ -31,6 +31,7 @@ Conditional Access Platform components used for Device Compliance include the fo - [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional) - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. +See also [Always On VPN deployment for Windows Server and Windows 10](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. @@ -74,10 +75,12 @@ Two client-side configuration service providers are leveraged for VPN device com - Collects TPM data used to verify health states - Forwards the data to the Health Attestation Service (HAS) - Provisions the Health Attestation Certificate received from the HAS - - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification + - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] -> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. +> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. +> +> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 92c4d2b8c5..a0330b3425 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -5,9 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.author: dansimp @@ -61,11 +61,11 @@ There are a number of Universal Windows Platform VPN applications, such as Pulse See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. -The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune. +The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune: ![Available connection types](images/vpn-connection-intune.png) -In Intune, you can also include custom XML for third-party plug-in profiles. +In Intune, you can also include custom XML for third-party plug-in profiles: ![Custom XML](images/vpn-custom-xml-intune.png) diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index cb543ad1cd..1ec959d53e 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -1,12 +1,12 @@ --- title: Windows 10 VPN technical guide (Windows 10) -description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. +description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.author: dansimp @@ -20,12 +20,12 @@ ms.author: dansimp - Windows 10 - Windows 10 Mobile -This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. +This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. -![Intune VPN policy template](images/vpn-intune-policy.png) +To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-windows-10). ->[!NOTE] ->This guide does not explain server deployment. +> [!NOTE] +> This guide does not explain server deployment. ## In this guide @@ -43,7 +43,5 @@ This guide will walk you through the decisions you will make for Windows 10 clie ## Learn more -- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune) - - +- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure) diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 6ff26370e3..2076d89817 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: @@ -52,7 +52,7 @@ Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node. ## Persistent -You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN. +You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over the VPN. Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 29b5df1daf..d47c757946 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.author: dansimp ms.localizationpriority: medium ms.date: 05/17/2018 @@ -34,7 +34,6 @@ The following table lists the VPN settings and whether the setting can be config | Routing: forced-tunnel | yes | | Authentication (EAP) | yes, if connection type is built-in | | Conditional access | yes | -| Proxy settings | yes, by PAC/WPAD file or server and port | | Name resolution: NRPT | yes | | Name resolution: DNS suffix | no | | Name resolution: persistent | no | @@ -45,6 +44,10 @@ The following table lists the VPN settings and whether the setting can be config | LockDown | no | | Windows Information Protection (WIP) | yes | | Traffic filters | yes | +| Proxy settings | yes, by PAC/WPAD file or server and port | + +> [!NOTE] +> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic. diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index 416bc57d04..fd26221328 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index d8f4768540..96964c7d9b 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: @@ -20,23 +20,6 @@ ms.author: dansimp - Windows 10 Mobile -## LockDown VPN - -A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features: - -- The system attempts to keep the VPN connected at all times. -- The user cannot disconnect the VPN connection. -- The user cannot delete or modify the VPN profile. -- The VPN LockDown profile uses forced tunnel connection. -- If the VPN connection is not available, outbound network traffic is blocked. -- Only one VPN LockDown profile is allowed on a device. - -> [!NOTE] -> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. - -Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. - - ## Windows Information Protection (WIP) integration with VPN Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. @@ -78,6 +61,24 @@ The following image shows the interface to configure traffic rules in a VPN Prof ![Add a traffic rule](images/vpn-traffic-rules.png) + +## LockDown VPN + +A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features: + +- The system attempts to keep the VPN connected at all times. +- The user cannot disconnect the VPN connection. +- The user cannot delete or modify the VPN profile. +- The VPN LockDown profile uses forced tunnel connection. +- If the VPN connection is not available, outbound network traffic is blocked. +- Only one VPN LockDown profile is allowed on a device. + +> [!NOTE] +> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. + +Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. + + ## Related topics - [VPN technical guide](vpn-guide.md) diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 26db02bc64..2c1a02b8db 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md index c2499cf092..efaf6664a9 100644 --- a/windows/security/includes/improve-request-performance.md +++ b/windows/security/includes/improve-request-performance.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- ->[!NOTE] +>[!TIP] >For better performance, you can use server closer to your geo location: > - api-us.securitycenter.microsoft.com > - api-eu.securitycenter.microsoft.com diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md index 246c89eb92..542eec5756 100644 --- a/windows/security/includes/machineactionsnote.md +++ b/windows/security/includes/machineactionsnote.md @@ -1,6 +1,6 @@ --- -title: Perform a Machine Action via the Microsoft Defender ATP API -description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API. +title: Perform a Machine Action via the Microsoft Defender for Endpoint API +description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API. ms.date: 08/28/2017 ms.reviewer: manager: dansimp @@ -10,4 +10,4 @@ ms.prod: w10 --- >[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP. +> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender for Endpoint. diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md new file mode 100644 index 0000000000..4f58a3d8d5 --- /dev/null +++ b/windows/security/includes/microsoft-defender-api-usgov.md @@ -0,0 +1,20 @@ +--- +title: Microsoft Defender for Endpoint API URIs for US Government +description: Microsoft Defender for Endpoint API URIs for US Government +keywords: defender, endpoint, api, government, gov +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +>[!NOTE] +>If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](../threat-protection/microsoft-defender-atp/gov.md#api). diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md index 46153786b9..0cf05d9d0d 100644 --- a/windows/security/includes/microsoft-defender.md +++ b/windows/security/includes/microsoft-defender.md @@ -1,14 +1,14 @@ --- -title: Microsoft Defender rebrand guidance -description: A note in regard to the Microsoft Defender rebrand. -ms.date: 09/21/2020 +title: Microsoft Defender important guidance +description: A note in regard to important Microsoft Defender guidance. +ms.date: ms.reviewer: manager: dansimp -ms.author: daniha -author: danihalfin +ms.author: dansimp +author: dansimp ms.prod: w10 ms.topic: include --- > [!IMPORTANT] -> Welcome to **Microsoft Defender for Endpoint**, the new name for **Microsoft Defender Advanced Threat Protection**. Read more about this and other updates [here](https://www.microsoft.com/security/blog/?p=91813). We'll be updating names in products and in the docs in the near future. +> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call outs in this article where there might be differences. diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md index a83544340f..a008aa45d7 100644 --- a/windows/security/includes/prerelease.md +++ b/windows/security/includes/prerelease.md @@ -1,6 +1,6 @@ --- -title: Microsoft Defender ATP Pre-release Disclaimer -description: Disclaimer for pre-release version of Microsoft Defender ATP. +title: Microsoft Defender for Endpoint Pre-release Disclaimer +description: Disclaimer for pre-release version of Microsoft Defender for Endpoint. ms.date: 08/28/2017 ms.reviewer: manager: dansimp diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index 6fe54f4f4d..442b60a184 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -3,9 +3,9 @@ ## [BitLocker](bitlocker\bitlocker-overview.md) ### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md) ### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md) -#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md) +#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.yml) #### [Upgrading](bitlocker\bitlocker-upgrading-faq.md) -#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md) +#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.yml) #### [Key management](bitlocker\bitlocker-key-management-faq.md) #### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md) #### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md deleted file mode 100644 index 064a82cf8e..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: BitLocker deployment and administration FAQ (Windows 10) -description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.reviewer: -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.custom: bitlocker ---- - -# BitLocker frequently asked questions (FAQ) - -**Applies to** -- Windows 10 - -## Can BitLocker deployment be automated in an enterprise environment? - -Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps). - -## Can BitLocker encrypt more than just the operating system drive? - -Yes. - -## Is there a noticeable performance impact when BitLocker is enabled on a computer? - -Generally it imposes a single-digit percentage performance overhead. - -## How long will initial encryption take when BitLocker is turned on? - -Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive. - -You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. - -## What happens if the computer is turned off during encryption or decryption? - -If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. - -## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? - -No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. - -## How can I prevent users on a network from storing data on an unencrypted drive? - -You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. - -## What is Used Disk Space Only encryption? - -BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). - -## What system changes would cause the integrity check on my operating system drive to fail? - -The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: - -- Moving the BitLocker-protected drive into a new computer. -- Installing a new motherboard with a new TPM. -- Turning off, disabling, or clearing the TPM. -- Changing any boot configuration settings. -- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. - -## What causes BitLocker to start into recovery mode when attempting to start the operating system drive? - -Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. -For example: - -- Changing the BIOS boot order to boot another drive in advance of the hard drive. -- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. -- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. - -In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. -The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. - -## What can prevent BitLocker from binding to PCR 7? - -BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. - -## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? - -Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. - -## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? - -Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. - -## Why is "Turn BitLocker on" not available when I right-click a drive? -Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. - -## What type of disk configurations are supported by BitLocker? -Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. - - diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml new file mode 100644 index 0000000000..8b59d31999 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -0,0 +1,96 @@ +### YamlMime:FAQ +metadata: + title: BitLocker deployment and administration FAQ (Windows 10) + description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.custom: bitlocker + +title: BitLocker frequently asked questions (FAQ) +summary: | + **Applies to** + - Windows 10 + + +sections: + - name: Ignored + questions: + - question: Can BitLocker deployment be automated in an enterprise environment? + answer: | + Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps). + + - question: Can BitLocker encrypt more than just the operating system drive? + answer: Yes. + + - question: Is there a noticeable performance impact when BitLocker is enabled on a computer? + answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate. + + - question: How long will initial encryption take when BitLocker is turned on? + answer: | + Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive. + + You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. + + - question: What happens if the computer is turned off during encryption or decryption? + answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. + + - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? + answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. + + - question: How can I prevent users on a network from storing data on an unencrypted drive? + answer: | + You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. + + - question: What is Used Disk Space Only encryption? + answer: | + BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). + + - question: What system changes would cause the integrity check on my operating system drive to fail? + answer: | + The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: + + - Moving the BitLocker-protected drive into a new computer. + - Installing a new motherboard with a new TPM. + - Turning off, disabling, or clearing the TPM. + - Changing any boot configuration settings. + - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. + + - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive? + answer: | + Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. + For example: + + - Changing the BIOS boot order to boot another drive in advance of the hard drive. + - Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. + - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. + + In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. + The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. + + - question: What can prevent BitLocker from binding to PCR 7? + answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. + + - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? + answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. + + - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? + answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. + + - question: Why is "Turn BitLocker on" not available when I right-click a drive? + answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. + + - question: What type of disk configurations are supported by BitLocker? + answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 3679c9fde7..31ee0816da 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -25,9 +25,9 @@ ms.custom: bitlocker This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. -- [Overview and requirements](bitlocker-overview-and-requirements-faq.md) +- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) - [Upgrading](bitlocker-upgrading-faq.md) -- [Deployment and administration](bitlocker-deployment-and-administration-faq.md) +- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) - [Key management](bitlocker-key-management-faq.md) - [BitLocker To Go](bitlocker-to-go-faq.md) - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index d9658a3113..2bda9b48ce 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -20,9 +20,9 @@ ms.custom: bitlocker # BitLocker Group Policy settings -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2 This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. @@ -37,6 +37,9 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. +> [!NOTE] +> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker). + ## BitLocker Group Policy settings The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 5c7b1190b1..b69e88d45f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -1,6 +1,6 @@ --- -title: BitLocker How to enable Network Unlock (Windows 10) -description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. +title: BitLocker - How to enable Network Unlock (Windows 10) +description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 ms.reviewer: ms.prod: w10 @@ -23,178 +23,168 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. +This article for IT professionals describes how BitLocker Network Unlock works and how to configure it. -Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. -Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. +Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a domain environment by automatically unlocking operating system volumes when the system is rebooted and is connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. -Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. +Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can make software patches difficult to roll out to unattended desktops and remotely administered servers. -This topic contains: - -- [Network Unlock core requirements](#bkmk-nunlockcorereqs) -- [Network Unlock sequence](#bkmk-networkunlockseq) -- [Configure Network Unlock](#bkmk-configuringnetworkunlock) -- [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) -- [Turning off Network Unlock](#bkmk-turnoffnetworkunlock) -- [Update Network Unlock certificates](#bkmk-updatecerts) -- [Troubleshoot Network Unlock](#bkmk-troubleshoot) -- [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems) +Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned to the client in a secure session. ## Network Unlock core requirements -Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include: +Network Unlock requires the following mandatory hardware and software configurations before it can automatically unlock domain-joined systems: - You must be running at least Windows 8 or Windows Server 2012. -- Any supported operating system with UEFI DHCP drivers can be Network Unlock clients. -- Network Unlock clients must have a TPM chip and at least one TPM protector. -- A server running the Windows Deployment Services (WDS) role on any supported server operating system. -- BitLocker Network Unlock optional feature installed on any supported server operating system. -- A DHCP server, separate from the WDS server. -- Properly configured public/private key pairing. -- Network Unlock Group Policy settings configured. +- Any supported operating system that uses UEFI DHCP drivers can be a Network Unlock client. +- Network Unlock clients must have a TPM (trusted platform module) chip and at least one TPM protector. +- You must have a server running the Windows Deployment Services (WDS) role on any supported server operating system. +- The BitLocker Network Unlock optional feature can be installed on any supported server operating system. +- You must have a DHCP server, separate from the WDS server. +- You must have a properly configured public/private key pairing. +- Network Unlock Group Policy settings must be configured. -The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer. +The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus. So confirm that the network stack has been enabled in the BIOS before you start the computer. > [!NOTE] -> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. +> To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled. -For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. +On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. + +Use this configuration especially when you have multiple adapters and you want to configure one without DHCP, such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. -The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. +On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This feature is a core requirement. -Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server. +Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS installation isn't required. But the WDS service must be running on the server. -The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. +The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server that's running WDS. The network key is returned encrypted with its corresponding session key. ## Network Unlock sequence -The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. +The unlock sequence starts on the client side, when the Windows boot manager detects the existence of the Network Unlock protector. It uses the DHCP driver in UEFI to get an IP address for IPv4. Then it broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described earlier. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. -On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. +On the server side, the WDS server role has an optional plug-in component, like a PXE (preboot execution environment) provider. The plug-in component handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions. These restrictions require the IP address that's provided by the client in the Network Unlock request to belong to a permitted subnet in order to release the network key to the client. If the Network Unlock provider is unavailable, then BitLocker fails over to the next available protector to unlock the drive. So in a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive. -The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). +The server-side configuration to enable Network Unlock requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate. The configuration also requires the public key certificate to be distributed to the clients. -![bitlocker network unlock sequence](images/bitlockernetworkunlocksequence.png) +Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM. -**Phases in the Network Unlock process** +![Diagram showing the BitLocker network unlock sequence.](images/bitlockernetworkunlocksequence.png) -1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. -2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. +The Network Unlock process follows these phases: + +1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. +2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains: - 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. - 2. An AES-256 session key for the reply. + - A network key (a 256-bit intermediate key) that's encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server. + - An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. -5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. -6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. -7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM. +5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. +6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. +7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM. 8. This combined key is used to create an AES-256 key that unlocks the volume. 9. Windows continues the boot sequence. ## Configure Network Unlock -The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. +The following steps allow an administrator to configure Network Unlock in a domain where the functional level is at least Windows Server 2012. -### Install the WDS Server role +### Install the WDS server role -The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. +The BitLocker Network Unlock feature installs the WDS role if it's not already installed. If you want to install it separately before you install BitLocker Network Unlock, use Server Manager or Windows PowerShell. To install the role in Server Manager, select the **Windows Deployment Services** role. -To install the role using Windows PowerShell, use the following command: +To install the role by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature WDS-Deployment ``` -You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. +Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. Use the WDS management tool, `wdsmgmt.msc`. This tool starts the Windows Deployment Services Configuration Wizard. -### Confirm the WDS Service is running +### Confirm the WDS service is running -To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. +To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To confirm the service is running in the Services Management console, open the console by using `services.msc`. Then check the status of the WDS service. -To confirm the service is running using Windows PowerShell, use the following command: +To confirm the service is running by using Windows PowerShell, use the following command: ```powershell Get-Service WDSServer ``` -### Install the Network Unlock feature +### Install the Network Unlock feature -To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. +To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature in the Server Manager console, select **BitLocker Network Unlock**. -To install the feature using Windows PowerShell, use the following command: +To install the feature by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock +### Create the certificate template for Network Unlock -A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. +A properly configured Active Directory Services Certification Authority can use the certificate template to create and issue Network Unlock certificates. To create a certificate template: -1. Open the Certificates Template snap-in (certtmpl.msc). -2. Locate the User template. Right-click the template name and select **Duplicate Template**. -3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected. -4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option. -5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected. -6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.) -7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**. -8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears. -9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. -10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**. -11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. -12. On the **Edit Application Policies Extension** dialog box, select **Add**. -13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: +1. Open the certificate template snap-in (`certtmpl.msc`). +2. Locate the user template. Right-click the template name, and then select **Duplicate Template**. +3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to **Windows Server 2012** and **Windows 8**, respectively. Ensure **Show resulting changes** is selected. +4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for **Publish certificate in Active Directory**. +5. Select the **Request Handling** tab. In the **Purpose** drop-down menu, select **Encryption**. Ensure the **Allow private key to be exported** option is selected. +6. Select the **Cryptography** tab. Set the **Minimum key size** to **2048**. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.) +7. Select **Requests must use one of the following providers**. Then clear all options except for your selected cryptography provider, such as the **Microsoft Software Key Storage Provider**. +8. Select the **Subject Name** tab. Select **Supply in the request**. If the certificate templates dialog box appears, select **OK**. +9. Select the **Issuance Requirements** tab. Then select both **CA certificate manager approval** and **Valid existing certificate**. +10. Select the **Extensions** tab. Then select **Application Policies** > **Edit**. +11. In the **Edit Application Policies Extension** dialog box, select **Client Authentication**, **Encrypting File System**, and **Secure Email**. Then choose **Remove**. +12. In the **Edit Application Policies Extension** dialog box, select **Add**. +13. In the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided, and then select **OK** to create the BitLocker Network Unlock application policy. - - **Name:** **BitLocker Network Unlock** - - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** + - **Name**: **BitLocker Network Unlock** + - **Object Identifier**: **1.3.6.1.4.1.311.67.1.1** -14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**. -15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. +14. Select the newly created **BitLocker Network Unlock** application policy, and then select **OK**. +15. With the **Extensions** tab still open, select **Edit Key Usage Extension**, and then select **Allow key exchange only with key encryption (key encipherment)**. Then select **Make this extension critical**. 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. 17. Select **OK** to complete configuration of the template. -To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. +To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. -After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock. +After you add the Network Unlock template to the certificate authority, you can use this certificate to configure BitLocker Network Unlock. -### Create the Network Unlock certificate +### Create the Network Unlock certificate -Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. +Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate. -To enroll a certificate from an existing certification authority (CA), do the following: +To enroll a certificate from an existing certificate authority: -1. Open Certificate Manager on the WDS server using **certmgr.msc** -2. Under the Certificates - Current User item, right-click Personal -3. Select All Tasks, then **Request New Certificate** -4. Select **Next** when the Certificate Enrollment wizard opens -5. Select Active Directory Enrollment Policy -6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: +1. On the WDS server, open Certificate Manager by using `certmgr.msc`. +2. Under **Certificates - Current User**, right-click **Personal**. +3. Select **All Tasks** > **Request New Certificate**. +4. When the Certificate Enrollment wizard opens, select **Next**. +5. Select **Active Directory Enrollment Policy**. +6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. +1. When you're prompted for more information, select **Subject Name** and provide a friendly name value. Your friendly name should include information for the domain or organizational unit for the certificate. Here's an example: *BitLocker Network Unlock Certificate for Contoso domain*. +7. Create the certificate. Ensure the certificate appears in the **Personal** folder. +8. Export the public key certificate for Network Unlock: - - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" - -7. Create the certificate. Ensure the certificate appears in the Personal folder. -8. Export the public key certificate for Network Unlock - - 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. + 1. Create a *.cer* file by right-clicking the previously created certificate and choosing **All Tasks** > **Export**. 2. Select **No, do not export the private key**. - 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. - 4. Give the file a name such as BitLocker-NetworkUnlock.cer. - -9. Export the public key with a private key for Network Unlock - - 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. + 3. Select **DER encoded binary X.509**, and then finish exporting the certificate to a file. + 4. Give the file a name, such as *BitLocker-NetworkUnlock.cer*. +9. Export the public key with a private key for Network Unlock: + 1. Create a *.pfx* file by right-clicking the previously created certificate. Then choose **All Tasks** > **Export**. 2. Select **Yes, export the private key**. - 3. Complete the wizard to create the .pfx file. + 3. Complete the steps to create the *.pfx* file. -To create a self-signed certificate, you can either use the New-SelfSignedCertificate cmdlet in Windows PowerShell or use Certreq. +To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq`. -Windows PowerShell example: +Here's a Windows PowerShell example: ```powershell New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1") ``` -Certreq example: +Here's a `certreq` example: -1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf. +1. Create a text file that has an *.inf* extension. For example, *notepad.exe* *BitLocker-NetworkUnlock.inf*. 2. Add the following contents to the previously created file: ```ini @@ -216,176 +206,183 @@ Certreq example: _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` -3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: +3. Open an elevated command prompt and use the `certreq` tool to create a new certificate. Use the following command, specifying the full path to the file that you created previously. Also specify the file name. ```cmd certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` -4. Verify the previous command properly created the certificate by confirming the .cer file exists. -5. Launch Certificates - Local Machine by running **certlm.msc**. -6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. +4. Verify the previous command properly created the certificate by confirming the *.cer* file exists. +5. Launch **Certificates - Local Machine** by running `certlm.msc`. +6. Create a *.pfx* file by opening the *Certificates – Local Computer\\Personal\\Certificates* path in the navigation pane. Right-click the previously imported certificate, and then select **All Tasks** > **Export**. Follow through the steps to create the *.pfx* file. -### Deploy the private key and certificate to the WDS server +### Deploy the private key and certificate to the WDS server -With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: +Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: -1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**. -3. In the **File to Import** dialog, choose the .pfx file created previously. -4. Enter the password used to create the .pfx and complete the wizard. +1. On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-in. When you're prompted, select the computer account and local computer. +2. Right-click **Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock**, and then choose **All Tasks** > **Import**. +3. In the **File to Import** dialog box, choose the *.pfx* file that you created previously. +4. Enter the password that you used to create the *.pfx* file, and finish the steps. ### Configure Group Policy settings for Network Unlock -With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. +You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by using the Network Unlock key. Find Group Policy settings for BitLocker in *\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption* by using the Local Group Policy Editor or the MMC. -The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. +To enable the Group Policy setting that's required to configure Network Unlock: -1. Open Group Policy Management Console (gpmc.msc). -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** or **Allow startup PIN with TPM** option. +1. Open Group Policy Management Console (`gpmc.msc`). +2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. -The following steps describe how to deploy the required Group Policy setting: +To deploy the required Group Policy setting: > [!NOTE] > The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. -1. Copy the .cer file created for Network Unlock to the domain controller. -2. On the domain controller, launch Group Policy Management Console (gpmc.msc). +1. Copy the *.cer* file that you created for Network Unlock to the domain controller. +2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 4. Deploy the public certificate to clients: - 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**. - 2. Right-click the folder and choose **Add Network Unlock Certificate**. - 3. Follow the wizard steps and import the .cer file that was copied earlier. + 1. In Group Policy Management Console, go to *Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate*. + 2. Right-click the folder, and then choose **Add Network Unlock Certificate**. + 3. Follow the steps and import the *.cer* file that you copied earlier. -> [!NOTE] -> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. + > [!NOTE] + > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer. -5. Reboot the clients after deploying the group policy. +5. Reboot the clients after you deploy the Group Policy. > [!NOTE] - > The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store. + > The **Network (Certificate Based)** protector is added only after a reboot where the policy is enabled and a valid certificate is present in the FVE_NKP store. -### Subnet policy configuration files on WDS Server (Optional) +### Subnet policy configuration files on the WDS server (optional) -By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock. +By default, the server unlocks clients that have the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP. You can create a subnet policy configuration file on the WDS server to limit the subnets that Network Unlock clients can use for unlocking. -The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests. +The configuration file, called *bde-network-unlock.ini*, must be located in the same directory as the Network Unlock provider dynamic-link library (*%windir%\System32\Nkpprov.dll*). The configuration file applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, then the provider fails and stops responding to requests. -The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. +The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. You can then use the named subnets to specify restrictions in certificate subsections. + +Subnets are defined as simple name-value pairs, in the common INI format. In this format, each subnet has its own line. The name is on the left of the equals sign. The subnet on the right of the equals sign is a Classless Interdomain Routing (CIDR) address or range. The keyword `ENABLED` is disallowed for subnet names. ```ini [SUBNETS] -SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon +SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon SUBNET2=10.185.252.200/28 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. ``` -Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. +Following the `[SUBNETS]` section are sections for each Network Unlock certificate. A certificate is identified by the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you can unlock by using that certificate. > [!NOTE] -> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. +> When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as valid. The spaces will cause the subnet configuration to fail. -Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. -Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. +Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate. + +So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock certificate on the server. And you must add an explicit allow list set for each certificate section. + +Create subnet lists by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that the list specifies. + +To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by using a prepended semicolon. ```ini [2158a767e1c14e88e27a4c0aee111d2de2eafe60] ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. -;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. +;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. SUBNET1 ;SUBNET2 SUBNET3 ``` -To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". +To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list. -## Turning off Network Unlock +## Turn off Network Unlock -To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. +To turn off the unlock server, you can unregister the PXE provider from the WDS server or uninstall it altogether. However, to stop clients from creating Network Unlock protectors, you should disable the **Allow Network Unlock at startup** Group Policy setting. When you disable this policy setting on client computers, any Network Unlock key protectors on the computer are deleted. Alternatively, you can delete the BitLocker Network Unlock certificate policy on the domain controller to accomplish the same task for an entire domain. > [!NOTE] -> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. +> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as an error. It's not a supported or recommended method for turning off the Network Unlock server. -## Update Network Unlock certificates +## Update Network Unlock certificates -To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. +To update the certificates that Network Unlock uses, administrators need to import or generate the new certificate for the server. Then they must update the Network Unlock certificate Group Policy setting on the domain controller. > [!NOTE] -> Servers that do not receive the Group Policy Object (GPO) will require a PIN when booting. In such cases, the reason why the server did not receive the GPO to update the certificate needs to be investigated. +> Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate. ## Troubleshoot Network Unlock -Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include: +To troubleshoot Network Unlock problems, begin by verifying the environment. Often, a small configuration issue is the root cause of the failure. Verify these items: -- Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. -- All required roles and services are installed and started -- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. -- Group policy for Network Unlock is enabled and linked to the appropriate domains. -- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. -- Verify the clients were rebooted after applying the policy. -- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer: +- Client hardware is based on UEFI and uses firmware version 2.3.1, and the UEFI firmware is in native mode and has no compatibility support module (CSM) for BIOS mode enabled. Verify this configuration by ensuring that the firmware has no enabled option such as **Legacy mode** or **Compatibility mode** and that the firmware doesn't appear to be in a BIOS-like mode. +- All required roles and services are installed and started. +- Public and private certificates have been published and are in the proper certificate containers. Verify the presence of the Network Unlock certificate by using Microsoft Management Console (*MMC.exe*) on the WDS server. The certificate snap-ins for the local computer should be enabled. Verify the client certificate by checking the registry key *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* on the client computer. +- Group Policy for Network Unlock is enabled and linked to the appropriate domains. +- Group Policy is reaching the clients properly. Verify this functionality by using the *GPRESULT.exe* utility or the *RSOP.msc* utility. +- The clients were rebooted after the policy was applied. +- The **Network (Certificate Based)** protector is listed on the client. Check for this protector by using either `manage-bde` or Windows PowerShell cmdlets. For example, the following command lists the key protectors that are currently configured on drive C on the local computer. ```powershell manage-bde -protectors -get C: ``` > [!NOTE] - > Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock + > Use the output of `manage-bde` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock. -Files to gather when troubleshooting BitLocker Network Unlock include: +Gather the following files to troubleshoot BitLocker Network Unlock. -1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log +- The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log. - Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging. + Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging. - 1. Start an elevated command prompt and run the following command: + - Start an elevated command prompt, and then run the following command: ```cmd wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true ``` - 2. Open Event Viewer on the WDS server. + - Open Event Viewer on the WDS server: - In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**. + 1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. + 1. In the right pane, select **Enable Log**. - In the right pane, click **Enable Log**. - -2. The DHCP subnet configuration file (if one exists). -3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell. -4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address. +- The DHCP subnet configuration file (if one exists). +- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. +- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address. ## Configure Network Unlock Group Policy settings on earlier versions -Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008. +Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. But you can deploy them by using operating systems that run Windows Server 2008 R2 and Windows Server 2008. -**Requirements** +Your system must meet these requirements: -- The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic. -- Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. +- The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article. +- Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article. -The following steps can be used to configure Network Unlock on these older systems. +Follow these steps to configure Network Unlock on these older systems. -1. [Install the WDS Server role](#bkmk-installwdsrole) -2. [Confirm the WDS Service is running](#bkmk-confirmwdsrunning) -3. [Install the Network Unlock feature](#bkmk-installnufeature) -4. [Create the Network Unlock certificate](#bkmk-createcert) -5. [Deploy the private key and certificate to the WDS server](#bkmk-deploycert) +1. [Install the WDS server role.](#bkmk-installwdsrole) +2. [Confirm the WDS service is running.](#bkmk-confirmwdsrunning) +3. [Install the Network Unlock feature.](#bkmk-installnufeature) +4. [Create the Network Unlock certificate.](#bkmk-createcert) +5. [Deploy the private key and certificate to the WDS server.](#bkmk-deploycert) 6. Configure registry settings for Network Unlock: - Apply the registry settings by running the following certutil script (assuming your network unlock certificate file is called **BitLocker-NetworkUnlock.cer**) on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. -```console - certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f -``` + Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article. -7. Set up a TPM protector on the clients -8. Reboot the clients to add the Network (Certificate Based) protector + ```console + certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f + ``` + +7. Set up a TPM protector on the clients. +8. Reboot the clients to add the **Network (Certificate Based)** protector. ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md deleted file mode 100644 index 7f9715b9c0..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: BitLocker overview and requirements FAQ (Windows 10) -description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker. -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.reviewer: -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.custom: bitlocker ---- - -# BitLocker Overview and Requirements FAQ - -**Applies to** -- Windows 10 - -## How does BitLocker work? - -**How BitLocker works with operating system drives** - -You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. - -**How BitLocker works with fixed and removable data drives** - -You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. - -## Does BitLocker support multifactor authentication? - -Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. - -## What are the BitLocker hardware and software requirements? - -For requirements, see [System requirements](bitlocker-overview.md#system-requirements). - -> [!NOTE] -> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker. - -## Why are two partitions required? Why does the system drive have to be so large? - -Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. - -## Which Trusted Platform Modules (TPMs) does BitLocker support? - -BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. - -> [!NOTE] -> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. - -## How can I tell if a TPM is on my computer? - -Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. - -## Can I use BitLocker on an operating system drive without a TPM? - -Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. -To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. - -## How do I obtain BIOS support for the TPM on my computer? - -Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: - -- It is compliant with the TCG standards for a client computer. -- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. - -## What credentials are required to use BitLocker? - -To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. - -## What is the recommended boot order for computers that are going to be BitLocker-protected? - -You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml new file mode 100644 index 0000000000..63b1488107 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -0,0 +1,82 @@ +### YamlMime:FAQ +metadata: + title: BitLocker overview and requirements FAQ (Windows 10) + description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.custom: bitlocker + +title: BitLocker Overview and Requirements FAQ +summary: | + **Applies to** + - Windows 10 + + +sections: + - name: Ignored + questions: + - question: How does BitLocker work? + answer: | + **How BitLocker works with operating system drives** + + You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. + + **How BitLocker works with fixed and removable data drives** + + You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. + + - question: Does BitLocker support multifactor authentication? + answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. + + - question: What are the BitLocker hardware and software requirements? + answer: | + For requirements, see [System requirements](bitlocker-overview.md#system-requirements). + + > [!NOTE] + > Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker. + + - question: Why are two partitions required? Why does the system drive have to be so large? + answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. + + - question: Which Trusted Platform Modules (TPMs) does BitLocker support? + answer: | + BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. + + > [!NOTE] + > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. + > + > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. + + - question: How can I tell if a TPM is on my computer? + answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. + + - question: Can I use BitLocker on an operating system drive without a TPM? + answer: | + Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. + To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. + + - question: How do I obtain BIOS support for the TPM on my computer? + answer: | + Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: + + - It is compliant with the TCG standards for a client computer. + - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. + + - question: What credentials are required to use BitLocker? + answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. + + - question: What is the recommended boot order for computers that are going to be BitLocker-protected? + answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  + diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 131a256f82..91df6ad467 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -62,7 +62,7 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. > [!IMPORTANT] -> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/). +> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. @@ -74,6 +74,8 @@ The hard disk must be partitioned with at least two drives: - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space. +A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives). + When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. @@ -97,5 +99,3 @@ When installing the BitLocker optional component on a server you will also need | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core | - - diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 4f3681db63..eaccfb9c9f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -2,7 +2,7 @@ title: BitLocker recovery guide (Windows 10) description: This article for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 -ms.reviewer: +ms.reviewer: ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the Microsoft Account and the custom URL are displayed. -![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) +![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png) #### Example 2 (single recovery key with single backup) @@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the custom URL is displayed. -![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG) +![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png) #### Example 3 (single recovery key with multiple backups) @@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the Microsoft Account hint is displayed. -![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG) +![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png) #### Example 4 (multiple recovery passwords) @@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. -![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG) +![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png) #### Example 5 (multiple recovery passwords) @@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p **Result:** The hint for the most recent key is displayed. -![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG) +![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png) ## Using additional recovery information @@ -484,7 +484,7 @@ You can reset the recovery password in two ways: > [!WARNING] > You must include the braces in the ID string. - + **To run the sample recovery password script:** 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 9ed6f0f984..4ae0e5d8e8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium ms.author: v-maave -author: martyav +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/information-protection/bitlocker/images/rp-example1.PNG b/windows/security/information-protection/bitlocker/images/rp-example1.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example1.PNG rename to windows/security/information-protection/bitlocker/images/rp-example1.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example2.PNG b/windows/security/information-protection/bitlocker/images/rp-example2.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example2.PNG rename to windows/security/information-protection/bitlocker/images/rp-example2.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example3.PNG b/windows/security/information-protection/bitlocker/images/rp-example3.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example3.PNG rename to windows/security/information-protection/bitlocker/images/rp-example3.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example4.PNG b/windows/security/information-protection/bitlocker/images/rp-example4.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example4.PNG rename to windows/security/information-protection/bitlocker/images/rp-example4.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example5.PNG b/windows/security/information-protection/bitlocker/images/rp-example5.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example5.PNG rename to windows/security/information-protection/bitlocker/images/rp-example5.png diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index c112d898f7..8e005347db 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -1,5 +1,5 @@ --- -title: BitLocker cannot encrypt a drive known TPM issues +title: BitLocker cannot encrypt a drive known TPM issues description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM ms.reviewer: kaushika ms.technology: windows @@ -16,7 +16,6 @@ ms.date: 10/18/2019 ms.custom: bitlocker --- - # BitLocker cannot encrypt a drive: known TPM issues This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. @@ -38,8 +37,10 @@ To resolve this issue, follow these steps: 1. Open an elevated PowerShell window and run the following script: - ```ps - $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} + ```powershell + $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" + $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus + if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` 1. Restart the computer. If you are prompted at the restart screen, press F12 to agree. @@ -67,7 +68,7 @@ To resolve this issue, disable and re-enable the TPM. To do this, follow these s If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm). > [!WARNING] -> Clearing the TPM can cause data loss. +> Clearing the TPM can cause data loss. ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 @@ -79,7 +80,7 @@ The TPM did not have sufficient permissions on the TPM Devices container in Acti This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. -### Resolution +### Resolution To verify that you have correctly identified this issue, use one of the following methods: @@ -88,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: - ```ps + ```powershell Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer ``` @@ -98,7 +99,7 @@ To verify that you have correctly identified this issue, use one of the followin ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" -Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. +Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: @@ -115,14 +116,14 @@ The domain and forest functional level of the environment may still be set to Wi To resolve this issue, follow these steps: 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2. -1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). -1. In the script, modify the value of **strPathToDomain** to your domain name. -1. Open an elevated PowerShell window, and run the following command: +2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). +3. In the script, modify the value of **strPathToDomain** to your domain name. +4. Open an elevated PowerShell window, and run the following command: - ```ps + ```powershell cscript Add-TPMSelfWriteACE.vbs ``` - + In this command \<*Path*> is the path to the script file. For more information, see the following articles: diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 74e8c2d67c..2c39161d3c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 017eb64762..76cd4b50a5 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -7,7 +7,7 @@ ms.mktglfcycl: Explore ms.pagetype: security ms.sitesec: library ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance @@ -84,7 +84,7 @@ These requirements help protect you from rootkits while allowing you to run any - **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. - **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. -To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx). +To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems. diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 3e3fdfd9b5..596d94cff0 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 1cb7f1c281..7854157fed 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index c802bfae51..06d8c54066 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index cf6d045df3..27d47eebbc 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index d9e1befbcd..fed9817bba 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index e2ae8c85e5..06382dc117 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -151,5 +151,5 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) - [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/) -- [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [TPM WMI providers](https://docs.microsoft.com/windows/win32/secprov/security-wmi-providers-reference) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#tpm-hardware-configurations) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index fb2784e2d5..997c6add77 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index a6c748fa89..d573495c4e 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index d94485704c..f6df5436b6 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index 45c32cd7da..124caf74f2 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 97733a4dd7..f7aad3051d 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 78edc9a59e..c84d5cbc1a 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 2bcfcf6622..629994e90f 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 6c672171ac..a124fbdd24 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 49a57283b7..ac44e2f1bd 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -1,5 +1,5 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) +title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 7f89a245b5..19f213f47f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -1,11 +1,11 @@ --- title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10) -description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. +description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the ` For example: ```console -URL <,proxy>|URL <,proxy>/*AppCompat*/ +URL <,proxy>|URL <,proxy>|/*AppCompat*/ ``` When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 42caa212cd..524199cf73 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index ebe3c59220..557fa276cb 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 576fe7cf71..bbfa13516c 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 27d3f1d9c9..bf2e926154 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index a1e662c65e..419f25c61c 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -1,6 +1,6 @@ --- -title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) -description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) +description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: w10 @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -23,11 +23,11 @@ ms.date: 02/26/2019 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ## In this section |Topic |Description | |------|------------| -|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index e40c2405a1..42f746faba 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -1,6 +1,6 @@ --- title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) -description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. +description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: w10 @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 9af557f950..336a37f408 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. >[!NOTE] - >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index fee621245c..d2ff6e2a2f 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 7353daae25..2eefdaf76e 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 94df767962..c7caa873dc 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 5a8333cab2..b54cc7cbe1 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1d2ce21e5e..958d86d6b1 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,15 +1,15 @@ # [Threat protection](index.md) ## [Overview]() -### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) +### [What is Microsoft Defender for Endpoint?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) ### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md) -### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) +### [What's new in Microsoft Defender for Endpoint](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) ### [Preview features](microsoft-defender-atp/preview.md) ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) -### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md) +### [Microsoft Defender for Endpoint for US Government customers](microsoft-defender-atp/gov.md) +### [Microsoft Defender for Endpoint for non-Windows platforms](microsoft-defender-atp/non-windows.md) ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) @@ -106,7 +106,7 @@ #### [Device control]() ##### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Control USB devices](device-control/control-usb-devices-using-intune.md) - +##### [Device control report](device-control/device-control-report.md) #### [Exploit protection]() ##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md) @@ -114,6 +114,7 @@ ##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) ##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) ##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) +##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md) ##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md ) #### [Network protection]() @@ -162,7 +163,7 @@ ###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) ###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) -##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) +##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) ##### [Antivirus compatibility]() ###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) @@ -170,39 +171,35 @@ ##### [Manage next-generation protection in your business]() ###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) -###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +###### [Use Microsoft Intune and Microsoft Endpoint Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) ###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) ###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) ###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) ###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) -###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md) ##### [Deploy, manage updates, and report on antivirus]() ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) ###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) -####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) +###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) ###### [Report on antivirus protection]() -####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) -####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) - -###### [Manage updates and apply baselines]() -####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) -####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) -####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) -####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) -####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) -####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) +###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) +###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) +###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) ##### [Customize, initiate, and review the results of scans and remediation]() ###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) -###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) +###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md) ###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) ###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) ###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) @@ -216,10 +213,10 @@ ###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) +###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) ###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) @@ -231,18 +228,18 @@ ###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md) ###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) -#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md) +#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md) #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md) -### [Microsoft Defender Advanced Threat Protection for Mac]() -#### [Overview of Microsoft Defender ATP for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +### [Microsoft Defender for Endpoint for Mac]() +#### [Overview of Microsoft Defender for Endpoint for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) #### [What's New](microsoft-defender-atp/mac-whatsnew.md) #### [Deploy]() ##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) ##### [JAMF Pro-based deployment]() -###### [Deploying Microsoft Defender ATP for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md) +###### [Deploying Microsoft Defender for Endpoint for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md) ###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md) ###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md) ###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md) @@ -270,19 +267,19 @@ -### [Microsoft Defender Advanced Threat Protection for iOS]() -#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md) +### [Microsoft Defender for Endpoint for iOS]() +#### [Overview of Microsoft Defender for Endpoint for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md) #### [Deploy]() -##### [App-based deployment](microsoft-defender-atp/ios-install.md) +##### [Deploy Microsoft Defender for Endpoint for iOS via Intune](microsoft-defender-atp/ios-install.md) #### [Configure]() ##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md) -#### [Privacy](microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md) +#### [Privacy](microsoft-defender-atp/ios-privacy.md) -### [Microsoft Defender Advanced Threat Protection for Linux]() -#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +### [Microsoft Defender for Endpoint for Linux]() +#### [Overview of Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) #### [What's New](microsoft-defender-atp/linux-whatsnew.md) #### [Deploy]() ##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) @@ -297,28 +294,31 @@ ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) +##### [Schedule scans with Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) +##### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](microsoft-defender-atp/linux-update-MDE-Linux.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) +##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md) #### [Privacy](microsoft-defender-atp/linux-privacy.md) #### [Resources](microsoft-defender-atp/linux-resources.md) -### [Microsoft Defender Advanced Threat Protection for Android]() -#### [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp/microsoft-defender-atp-android.md) +### [Microsoft Defender for Endpoint for Android]() +#### [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp/microsoft-defender-atp-android.md) #### [Deploy]() -##### [Deploy Microsoft Defender ATP for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md) +##### [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md) #### [Configure]() -##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md) +##### [Configure Microsoft Defender for Endpoint for Android features](microsoft-defender-atp/android-configure.md) #### [Privacy]() -##### [Microsoft Defender ATP for Android - Privacy information](microsoft-defender-atp/android-privacy.md) +##### [Microsoft Defender for Endpoint for Android - Privacy information](microsoft-defender-atp/android-privacy.md) #### [Troubleshoot]() ##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md) @@ -351,6 +351,7 @@ #### [Devices list]() ##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md) +##### [Techniques in device timeline](microsoft-defender-atp/techniques-device-timeline.md) ##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md) ##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md) @@ -372,13 +373,14 @@ ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) ###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) ###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) +###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) ###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) -###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) -#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) -##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) +#### [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md) +##### [View and approve pending actions](microsoft-defender-atp/manage-auto-investigation.md) +##### [Details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md) #### [Investigate entities using Live response]() ##### [Investigate entities on devices](microsoft-defender-atp/live-response.md) @@ -438,21 +440,13 @@ ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) -### [Threat analytics](microsoft-defender-atp/threat-analytics.md) - - - - - - - - - +### [Threat analytics overview](microsoft-defender-atp/threat-analytics.md) +#### [Read the analyst report](microsoft-defender-atp/threat-analytics-analyst-reports.md) ## [How-to]() ### [Onboard devices to the service]() -#### [Onboard devices to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md) +#### [Onboard devices to Microsoft Defender for Endpoint](microsoft-defender-atp/onboard-configure.md) #### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md) #### [Onboard Windows 10 devices]() ##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) @@ -486,6 +480,7 @@ #### [General]() ##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md) ##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) +##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md) ##### [Configure advanced features](microsoft-defender-atp/advanced-features.md) #### [Permissions]() @@ -516,22 +511,25 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) + ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) -#### [Microsoft Defender ATP API]() +#### [Microsoft Defender for Endpoint API]() ##### [Get started]() -###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) -###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md) +###### [Microsoft Defender for Endpoint API license and terms](microsoft-defender-atp/api-terms-of-use.md) +###### [Access the Microsoft Defender for Endpoint APIs](microsoft-defender-atp/apis-intro.md) ###### [Hello World](microsoft-defender-atp/api-hello-world.md) ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md) ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md) ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md) -##### [Microsoft Defender ATP APIs Schema]() -###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md) +##### [Microsoft Defender for Endpoint APIs Schema]() +###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Release Notes](microsoft-defender-atp/api-release-notes.md) ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) @@ -539,7 +537,8 @@ ####### [Alert methods and properties](microsoft-defender-atp/alerts.md) ####### [List alerts](microsoft-defender-atp/get-alerts.md) ####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md) -####### [Update Alert](microsoft-defender-atp/update-alert.md) +####### [Update alert](microsoft-defender-atp/update-alert.md) +####### [Batch update alert](microsoft-defender-atp/batch-update-alerts.md) ####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md) ####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md) ####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md) @@ -558,6 +557,7 @@ ####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md) ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md) ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md) +####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md) ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md) ####### [Set device value](microsoft-defender-atp/set-device-value.md) @@ -584,6 +584,7 @@ ###### [Indicators]() ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md) ####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md) +####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md) ####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md) ####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md) @@ -655,7 +656,7 @@ ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) -##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) +##### [Microsoft Defender for Endpoint detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) @@ -683,11 +684,11 @@ ### [Partner integration scenarios]() #### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md) #### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md) -#### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md) +#### [Become a Microsoft Defender for Endpoint partner](microsoft-defender-atp/get-started-partner-integration.md) ### [Integrations]() -#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md) +#### [Microsoft Defender for Endpoint integrations](microsoft-defender-atp/threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) #### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) @@ -695,13 +696,13 @@ ### [Information protection in Windows overview]() #### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md) -### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md) +### [Access the Microsoft Defender for Endpoint Community Center](microsoft-defender-atp/community.md) ### [Helpful resources](microsoft-defender-atp/helpful-resources.md) -### [Troubleshoot Microsoft Defender ATP]() +### [Troubleshoot Microsoft Defender for Endpoint]() #### [Troubleshoot sensor state]() ##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) ##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md) @@ -709,10 +710,10 @@ ##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices) ##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) -#### [Troubleshoot Microsoft Defender ATP service issues]() +#### [Troubleshoot Microsoft Defender for Endpoint service issues]() ##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md) ##### [Check service health](microsoft-defender-atp/service-status.md) -##### [Contact Microsoft Defender ATP support](microsoft-defender-atp/contact-support.md) +##### [Contact Microsoft Defender for Endpoint support](microsoft-defender-atp/contact-support.md) #### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md) @@ -1341,7 +1342,6 @@ #### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md) ##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md) ##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md) -### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 2893cf7ece..6df69c3b35 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: This reference for IT professionals provides information about the ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security audit policy settings diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md index 99b8a989c4..86a39fc1b7 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists questions and answers abou ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security auditing FAQ diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 7c55d51d21..4a3608816f 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -4,7 +4,7 @@ description: Advanced security audit policy settings may appear to overlap with ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security audit policies diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index 505da9bbb0..c892db7b11 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -2,7 +2,7 @@ title: Appendix A, Security monitoring recommendations for many audit events (Windows 10) description: Learn about recommendations for the type of monitoring required for certain classes of security audit events. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Appendix A: Security monitoring recommendations for many audit events diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index a18783d92c..2d63b25eb8 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -4,7 +4,7 @@ description: Apply audit policies to individual files and folders on your comput ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/25/2018 +ms.technology: mde --- # Apply a basic audit policy on a file or folder diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 1ea3e878e6..77f8126a98 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 07/16/2018 +ms.technology: mde --- # Audit Account Lockout diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index b594ba40ca..9215959064 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Application Generated diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 8dce282dfa..a06d67b8d9 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Application Group Management diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index 376cab2bcf..81422c0d3f 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Audit Policy Change diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 4a6f754c01..8bf74ed78f 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Authentication Policy Change diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index b13bec6cbc..c00445582a 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Authorization Policy Change diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index f655b5d8c6..e607b7c276 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Central Access Policy Staging diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index a1e50c1538..24af233cc3 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Certification Services diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index ab838fd042..677244f857 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Computer Account Management diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 9ce3b5aa5b..4fdf9060db 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Credential Validation diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index 859859fc2b..a6f472d018 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Detailed Directory Service Replication diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 69a9d636c7..4428aad464 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Detailed File Share @@ -37,9 +38,9 @@ There are no system access control lists (SACLs) for shared folders. If this pol | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. | -| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | -| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | +| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. | +| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be high (if they are not File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. | +| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index 0a13f90a87..db603d8330 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Directory Service Access diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index 1a962ee86f..f81b20e2a5 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Directory Service Changes diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index dffea817d4..df8ddc7f12 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Directory Service Replication diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 2bacdbe3a1..352eea4cfe 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Distribution Group Management diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index fc94d79d95..7c346e1e52 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit DPAPI Activity diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index ccab879b4f..88b51b6a3f 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit File Share diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index 57ea7bc917..7da7e7d670 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit File System diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index 52475e4276..e45f321af3 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Filtering Platform Connection diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index bdaff33b06..fabd2a6b86 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Filtering Platform Packet Drop diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index 204a9b6320..72b892151f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Filtering Platform Policy Change diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index e9047b6c8a..37a86a6424 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -1,17 +1,18 @@ --- title: Audit Group Membership (Windows 10) -description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC. +description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Group Membership @@ -20,8 +21,7 @@ ms.date: 04/19/2017 - Windows 10 - Windows Server 2016 - -Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer. +By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. @@ -33,15 +33,15 @@ Multiple events are generated if the group membership information cannot fit in **Event volume**: -- Low on a client computer. +- Low on a client computer. -- Medium on a domain controller or network servers. +- Medium on a domain controller or network servers. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | +| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | +| Workstation | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index 64fd2edce2..e82188ac78 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Handle Manipulation diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index d396f0ed40..606acf77a3 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Driver diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 37421d3b3e..179c4e5e22 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Extended Mode diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index bf2db28b53..092717cc70 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Main Mode diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 290c41687a..fefab72132 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Quick Mode diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index 529003459d..14495b2794 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Kerberos Authentication Service diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 0c95144cb1..555de3229e 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Kerberos Service Ticket Operations diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index 60f0a374d8..35d10b40fa 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Kernel Object diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index c4d6606795..a07a10fd9a 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 07/16/2018 +ms.technology: mde --- # Audit Logoff @@ -23,7 +24,7 @@ ms.date: 07/16/2018 Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. -These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to. +These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to. There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. @@ -31,13 +32,13 @@ Logon events are essential to understanding user activity and detecting potentia **Event volume**: High. -This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. +This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index 711c16301c..e87dd6ad1d 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Logon diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index d58bafa0de..5107277a3d 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit MPSSVC Rule-Level Policy Change diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index 697ae99b16..78f17fb1a1 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Network Policy Server diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index f1227802bd..8cf59016dd 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -1,27 +1,28 @@ --- -title: Audit Non Sensitive Privilege Use (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. +title: Audit Non-Sensitive Privilege Use (Windows 10) +description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- -# Audit Non Sensitive Privilege Use +# Audit Non-Sensitive Privilege Use **Applies to** - Windows 10 - Windows Server 2016 -Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: +Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: - Access Credential Manager as a trusted caller diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 959a951636..39fa1e83de 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Account Logon Events diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 2795a0bb73..bb5d7120a3 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Account Management Events diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index 9265129828..d50fe53957 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Logon/Logoff Events diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index 54b132e114..a485aa2d07 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 05/29/2017 +ms.technology: mde --- # Audit Other Object Access Events diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 2ceacf7bd7..5f55e34285 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Policy Change Events diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 9adb4cfd74..87c74a4998 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -2,16 +2,17 @@ title: Audit Other Privilege Use Events (Windows 10) description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S). ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Privilege Use Events diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 314723a738..7554066d42 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other System Events diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index 2d1298584a..16b696e3a2 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit PNP Activity diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 2eb2aa20f8..456c7082b1 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Process Creation diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 7ba49fbd59..97b0a91741 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Process Termination diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 4b0d88838f..8b5fa48820 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Registry diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index 82d5170b7c..d09d98cb1d 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Removable Storage diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index b35eacaf51..59202d82fa 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit RPC Events diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 6e60284ead..2d23fcdcce 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit SAM diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index d75b85e522..c80fe834a9 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 02/28/2019 +ms.technology: mde --- # Audit Security Group Management diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index c10e8072f7..19614087bb 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Security State Change diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index 8c764f65c4..b787507ef4 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Security System Extension diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index 3bdb900b00..2f23c9cbcc 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Sensitive Privilege Use diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index ec7e84c990..b17dccbcb1 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Special Logon diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index 89d27ff3cb..b461299ea0 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit System Integrity diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index bb9d974920..266ab2e3c9 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -5,7 +5,8 @@ manager: dansimp author: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security +ms.technology: mde --- # Audit Token Right Adjusted diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index 5b2d45cc98..145e04e477 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit User Account Management diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index bea0be45b0..6051e50d2f 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit User/Device Claims diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index f345a84336..7e9d098f5d 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit account logon events diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index e699a88ac1..10a7cb1c8c 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -4,7 +4,7 @@ description: Determines whether to audit each event of account management on a d ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit account management diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index 530a4255bc..e52e2e7382 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -4,7 +4,7 @@ description: Determines whether to audit the event of a user accessing an Active ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit directory service access diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 66c1906086..c730790cfa 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit logon events diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index c3bada3ea8..7bb1357af3 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -4,7 +4,7 @@ description: The policy setting, Audit object access, determines whether to audi ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit object access diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index b80e5788af..a04167e8c2 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -4,7 +4,7 @@ description: Determines whether to audit every incident of a change to user righ ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit policy change diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index a3e7893fe6..4b6a28a415 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user exercising a us ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit privilege use diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index 4f02eab9a3..c2e1ff94ca 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -4,7 +4,7 @@ description: Determines whether to audit detailed tracking information for event ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit process tracking diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 7811de4253..8c5e33028e 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -4,7 +4,7 @@ description: Determines whether to audit when a user restarts or shuts down the ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit system events diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 3856637432..fd291c792a 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -4,7 +4,7 @@ description: Learn about basic security audit policies that specify the categori ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Basic security audit policies diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 686cdfdc71..0ddb0a6152 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: Basic security audit policy settings are found under Computer Confi ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Basic security audit policy settings diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 745c787671..526946d4b5 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -4,7 +4,7 @@ description: By defining auditing settings for specific event categories, you ca ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a basic audit policy for an event category diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index 251aa8834c..f3fbd46308 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -2,7 +2,7 @@ title: 1100(S) The event logging service has shut down. (Windows 10) description: Describes security event 1100(S) The event logging service has shut down. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1100(S): The event logging service has shut down. diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index 4a9b1e8b3a..fecf1badde 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -2,7 +2,7 @@ title: 1102(S) The audit log was cleared. (Windows 10) description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S). ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1102(S): The audit log was cleared. diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index fbcbb7dad9..8dbb841dce 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -1,8 +1,8 @@ --- title: 1104(S) The security log is now full. (Windows 10) -description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events." +description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1104(S): The security log is now full. diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index bd4e2bb72a..c08fa7be61 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -2,7 +2,7 @@ title: 1105(S) Event log automatic backup. (Windows 10) description: This event generates every time Windows security log becomes full and new event log file was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1105(S): Event log automatic backup diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 0aaa3b6a99..cd3bf45ca4 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -2,7 +2,7 @@ title: The event logging service encountered an error (Windows 10) description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1108(S): The event logging service encountered an error while processing an incoming event published from %1. diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 5f0730407d..6372e6acc2 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -2,7 +2,7 @@ title: 4608(S) Windows is starting up. (Windows 10) description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4608(S): Windows is starting up. diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index c9be68814f..b85a2d5918 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -2,7 +2,7 @@ title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10) description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4610(S): An authentication package has been loaded by the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 6862a8d6a8..c3174b766e 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -2,7 +2,7 @@ title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10) description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4611(S): A trusted logon process has been registered with the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 2ca7cca35a..c4561550d5 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -2,7 +2,7 @@ title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10) description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index f86b22408c..5bc966978c 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -2,7 +2,7 @@ title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10) description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4614(S): A notification package has been loaded by the Security Account Manager. diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 0490e0ae3e..6c8f9cd7ac 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -2,7 +2,7 @@ title: 4615(S) Invalid use of LPC port. (Windows 10) description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4615(S): Invalid use of LPC port. diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 3f700f0719..690bde945f 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -2,7 +2,7 @@ title: 4616(S) The system time was changed. (Windows 10) description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4616(S): The system time was changed. diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index 4155868172..c1bc41f942 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -2,7 +2,7 @@ title: 4618(S) A monitored security event pattern has occurred. (Windows 10) description: Describes security event 4618(S) A monitored security event pattern has occurred. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4618(S): A monitored security event pattern has occurred. diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index f3365acf99..8868b9b584 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -2,7 +2,7 @@ title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10) description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4621(S): Administrator recovered system from CrashOnAuditFail. diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index 385f508b09..3579709147 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -2,7 +2,7 @@ title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10) description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4622(S): A security package has been loaded by the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index b310cd06ca..49f1a0d83c 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -2,7 +2,7 @@ title: 4624(S) An account was successfully logged on. (Windows 10) description: Describes security event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4624(S): An account was successfully logged on. @@ -156,7 +157,7 @@ This event generates when a logon session is created (on destination machine). I | `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | | `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | | `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | +| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | | `13` | `CachedUnlock` | Workstation logon. | - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 293e52c57f..9dcf332398 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -2,7 +2,7 @@ title: 4625(F) An account failed to log on. (Windows 10) description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4625(F): An account failed to log on. diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index 2adc4b2f1b..667de4c561 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -2,7 +2,7 @@ title: 4626(S) User/Device claims information. (Windows 10) description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4626(S): User/Device claims information. diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index fb47564ea9..ff63c0c122 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -2,7 +2,7 @@ title: 4627(S) Group membership information. (Windows 10) description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4627(S): Group membership information. diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index d76dc2df61..b0541e2dbb 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -2,7 +2,7 @@ title: 4634(S) An account was logged off. (Windows 10) description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 11/20/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4634(S): An account was logged off. diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index 26bbcd86f8..14dc2a7083 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -2,7 +2,7 @@ title: 4647(S) User initiated logoff. (Windows 10) description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4647(S): User initiated logoff. diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 5a44bd38f1..8483ee08ac 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -2,7 +2,7 @@ title: 4648(S) A logon was attempted using explicit credentials. (Windows 10) description: Describes security event 4648(S) A logon was attempted using explicit credentials. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4648(S): A logon was attempted using explicit credentials. diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index dce0305250..06ae9ca1aa 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -2,7 +2,7 @@ title: 4649(S) A replay attack was detected. (Windows 10) description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4649(S): A replay attack was detected. diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index 918d665121..f0ce074332 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -2,7 +2,7 @@ title: 4656(S, F) A handle to an object was requested. (Windows 10) description: Describes security event 4656(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4656(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index cb009c97df..f7ebcac31c 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -2,7 +2,7 @@ title: 4657(S) A registry value was modified. (Windows 10) description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4657(S): A registry value was modified. diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index c461aa3d20..85b56fb6d0 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -2,7 +2,7 @@ title: 4658(S) The handle to an object was closed. (Windows 10) description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4658(S): The handle to an object was closed. diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 0823b6ae3e..db4a9fd649 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -2,7 +2,7 @@ title: 4660(S) An object was deleted. (Windows 10) description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4660(S): An object was deleted. diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index 13513c1eb8..1fd43e2292 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -2,7 +2,7 @@ title: 4661(S, F) A handle to an object was requested. (Windows 10) description: Describes security event 4661(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4661(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index 31fd7fd716..8998dbb81a 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -2,7 +2,7 @@ title: 4662(S, F) An operation was performed on an object. (Windows 10) description: Describes security event 4662(S, F) An operation was performed on an object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4662(S, F): An operation was performed on an object. diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index 44da729457..367e5eb029 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -2,7 +2,7 @@ title: 4663(S) An attempt was made to access an object. (Windows 10) description: Describes security event 4663(S) An attempt was made to access an object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4663(S): An attempt was made to access an object. diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 6f60cce3a7..9c99e5f2bc 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -2,7 +2,7 @@ title: 4664(S) An attempt was made to create a hard link. (Windows 10) description: Describes security event 4664(S) An attempt was made to create a hard link. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4664(S): An attempt was made to create a hard link. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index bc6d20907b..c52b274d4f 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -2,7 +2,7 @@ title: 4670(S) Permissions on an object were changed. (Windows 10) description: Describes security event 4670(S) Permissions on an object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4670(S): Permissions on an object were changed. diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index 3e81e5f2f6..fb46f1fb5a 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -2,7 +2,7 @@ title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10) description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4671(-): An application attempted to access a blocked ordinal through the TBS. diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 81b9fd94a0..60e95bde44 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -2,7 +2,7 @@ title: 4672(S) Special privileges assigned to new logon. (Windows 10) description: Describes security event 4672(S) Special privileges assigned to new logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 12/20/2018 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4672(S): Special privileges assigned to new logon. diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index c647485d66..579be30565 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -2,7 +2,7 @@ title: 4673(S, F) A privileged service was called. (Windows 10) description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4673(S, F): A privileged service was called. diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 5781254277..5eecd1f2b5 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -2,7 +2,7 @@ title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10) description: Describes security event 4674(S, F) An operation was attempted on a privileged object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4674(S, F): An operation was attempted on a privileged object. diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index 978d25bf39..0af7742f2c 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -2,7 +2,7 @@ title: 4675(S) SIDs were filtered. (Windows 10) description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4675(S): SIDs were filtered. diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 4c48e4623a..31baef1ba5 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -2,7 +2,7 @@ title: 4688(S) A new process has been created. (Windows 10) description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4688(S): A new process has been created. diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index 81c27d0423..99bee451d9 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -2,7 +2,7 @@ title: 4689(S) A process has exited. (Windows 10) description: Describes security event 4689(S) A process has exited. This event is generates when a process exits. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4689(S): A process has exited. diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index be4ce4de7c..d7a23d1da4 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -2,7 +2,7 @@ title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10) description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4690(S): An attempt was made to duplicate a handle to an object. diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index 001cce1266..cadefa2220 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -2,7 +2,7 @@ title: 4691(S) Indirect access to an object was requested. (Windows 10) description: Describes security event 4691(S) Indirect access to an object was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4691(S): Indirect access to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index dc84c4c3d6..5d421a4e9f 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -2,7 +2,7 @@ title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10) description: Describes security event 4692(S, F) Backup of data protection master key was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4692(S, F): Backup of data protection master key was attempted. diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index 72c5473fe1..705ede7a61 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -2,7 +2,7 @@ title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10) description: Describes security event 4693(S, F) Recovery of data protection master key was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4693(S, F): Recovery of data protection master key was attempted. diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index 9d96a529ac..3d9e4f51cf 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -2,7 +2,7 @@ title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10) description: Describes security event 4694(S, F) Protection of auditable protected data was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4694(S, F): Protection of auditable protected data was attempted. diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 675ba33601..cbca831957 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -2,7 +2,7 @@ title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10) description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4695(S, F): Unprotection of auditable protected data was attempted. diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 0268cd25a8..520d0d5d1e 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -2,7 +2,7 @@ title: 4696(S) A primary token was assigned to process. (Windows 10) description: Describes security event 4696(S) A primary token was assigned to process. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4696(S): A primary token was assigned to process. diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index d454c05905..090b2436e1 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -2,7 +2,7 @@ title: 4697(S) A service was installed in the system. (Windows 10) description: Describes security event 4697(S) A service was installed in the system. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4697(S): A service was installed in the system. diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index a6f3256c16..567815e3b8 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -2,7 +2,7 @@ title: 4698(S) A scheduled task was created. (Windows 10) description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4698(S): A scheduled task was created. diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index 48148e6246..5b2861c4d1 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -2,7 +2,7 @@ title: 4699(S) A scheduled task was deleted. (Windows 10) description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4699(S): A scheduled task was deleted. diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index 8d39b0e38d..90e9f7b574 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -2,7 +2,7 @@ title: 4700(S) A scheduled task was enabled. (Windows 10) description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4700(S): A scheduled task was enabled. diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index ef24c397fc..bc81734079 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -2,7 +2,7 @@ title: 4701(S) A scheduled task was disabled. (Windows 10) description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4701(S): A scheduled task was disabled. diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index 393a0619d6..f6d5b753e4 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -2,7 +2,7 @@ title: 4702(S) A scheduled task was updated. (Windows 10) description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4702(S): A scheduled task was updated. diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 7483483ea2..e0a624d4fb 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -2,7 +2,7 @@ title: 4703(S) A user right was adjusted. (Windows 10) description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4703(S): A user right was adjusted. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index bc3e9d5c3a..d1d045bb0d 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -2,7 +2,7 @@ title: 4704(S) A user right was assigned. (Windows 10) description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4704(S): A user right was assigned. diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 5b337c9941..317b3b23fb 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -2,7 +2,7 @@ title: 4705(S) A user right was removed. (Windows 10) description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4705(S): A user right was removed. diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index 2a57c47db5..d39473364c 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -2,7 +2,7 @@ title: 4706(S) A new trust was created to a domain. (Windows 10) description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4706(S): A new trust was created to a domain. diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index dc7e2f5419..f16f66bdcd 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -2,7 +2,7 @@ title: 4707(S) A trust to a domain was removed. (Windows 10) description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4707(S): A trust to a domain was removed. diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index 69c6f2f153..3c7ada997e 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -2,7 +2,7 @@ title: 4713(S) Kerberos policy was changed. (Windows 10) description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4713(S): Kerberos policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index c81891ffc9..36dec3a969 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -2,7 +2,7 @@ title: 4714(S) Encrypted data recovery policy was changed. (Windows 10) description: Describes security event 4714(S) Encrypted data recovery policy was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4714(S): Encrypted data recovery policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index c51f51c999..d4e9d14839 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -2,7 +2,7 @@ title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10) description: Describes security event 4715(S) The audit policy (SACL) on an object was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4715(S): The audit policy (SACL) on an object was changed. diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 4ab122d7f1..35b1bfc9d2 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -2,7 +2,7 @@ title: 4716(S) Trusted domain information was modified. (Windows 10) description: Describes security event 4716(S) Trusted domain information was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/04/2019 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4716(S): Trusted domain information was modified. diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index ffe87e87e0..ddbd9f66db 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -2,7 +2,7 @@ title: 4717(S) System security access was granted to an account. (Windows 10) description: Describes security event 4717(S) System security access was granted to an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4717(S): System security access was granted to an account. diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index ecef74c71a..0e7892c9c8 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -2,7 +2,7 @@ title: 4718(S) System security access was removed from an account. (Windows 10) description: Describes security event 4718(S) System security access was removed from an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4718(S): System security access was removed from an account. diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index e634cf0bbf..98469b6945 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -2,7 +2,7 @@ title: 4719(S) System audit policy was changed. (Windows 10) description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4719(S): System audit policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index d18fd86200..1569aebb53 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -2,7 +2,7 @@ title: 4720(S) A user account was created. (Windows 10) description: Describes security event 4720(S) A user account was created. This event is generated a user object is created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4720(S): A user account was created. diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index 97a958aba9..e156a9bedf 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -2,7 +2,7 @@ title: 4722(S) A user account was enabled. (Windows 10) description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4722(S): A user account was enabled. diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index 4622d802a2..8a2eb1aa9b 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -2,7 +2,7 @@ title: 4723(S, F) An attempt was made to change an account's password. (Windows 10) description: Describes security event 4723(S, F) An attempt was made to change an account's password. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4723(S, F): An attempt was made to change an account's password. diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index 3d9bbc1a0d..f360a13828 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -2,7 +2,7 @@ title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10) description: Describes security event 4724(S, F) An attempt was made to reset an account's password. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4724(S, F): An attempt was made to reset an account's password. diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index c1bdc4c1f4..5be795b261 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -2,7 +2,7 @@ title: 4725(S) A user account was disabled. (Windows 10) description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4725(S): A user account was disabled. diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index ae0997e85e..f8f7ffba8c 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -2,7 +2,7 @@ title: 4726(S) A user account was deleted. (Windows 10) description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4726(S): A user account was deleted. diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 5fcdcba641..78d8e0e0c8 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -2,7 +2,7 @@ title: 4731(S) A security-enabled local group was created. (Windows 10) description: Describes security event 4731(S) A security-enabled local group was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4731(S): A security-enabled local group was created. diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 65ba0ae840..94a84c0054 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -2,7 +2,7 @@ title: 4732(S) A member was added to a security-enabled local group. (Windows 10) description: Describes security event 4732(S) A member was added to a security-enabled local group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4732(S): A member was added to a security-enabled local group. diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index b970a918bc..b23bf184d3 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -2,7 +2,7 @@ title: 4733(S) A member was removed from a security-enabled local group. (Windows 10) description: Describes security event 4733(S) A member was removed from a security-enabled local group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4733(S): A member was removed from a security-enabled local group. diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index 5e439c5e46..144c20c935 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -2,7 +2,7 @@ title: 4734(S) A security-enabled local group was deleted. (Windows 10) description: Describes security event 4734(S) A security-enabled local group was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4734(S): A security-enabled local group was deleted. diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index 07ff8c48cf..98843abaa0 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -2,7 +2,7 @@ title: 4735(S) A security-enabled local group was changed. (Windows 10) description: Describes security event 4735(S) A security-enabled local group was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4735(S): A security-enabled local group was changed. diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 3ad4e0bb93..6262726e51 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -2,7 +2,7 @@ title: 4738(S) A user account was changed. (Windows 10) description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4738(S): A user account was changed. diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index 644aa94187..900d034c18 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -2,7 +2,7 @@ title: 4739(S) Domain Policy was changed. (Windows 10) description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4739(S): Domain Policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index 68838caedf..db7139e935 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -2,7 +2,7 @@ title: 4740(S) A user account was locked out. (Windows 10) description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4740(S): A user account was locked out. diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index 22809b4f8f..466e46e06b 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -2,7 +2,7 @@ title: 4741(S) A computer account was created. (Windows 10) description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4741(S): A computer account was created. diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 0d9f50526b..c692aef6e1 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -2,7 +2,7 @@ title: 4742(S) A computer account was changed. (Windows 10) description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4742(S): A computer account was changed. diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index 3cc90698fb..3402a5e1d7 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -2,7 +2,7 @@ title: 4743(S) A computer account was deleted. (Windows 10) description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4743(S): A computer account was deleted. diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index cb2cbe96a6..478ae9e021 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -2,7 +2,7 @@ title: 4749(S) A security-disabled global group was created. (Windows 10) description: Describes security event 4749(S) A security-disabled global group was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4749(S): A security-disabled global group was created. diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index 7d5ba9d12e..4bdfe79f69 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -2,7 +2,7 @@ title: 4750(S) A security-disabled global group was changed. (Windows 10) description: Describes security event 4750(S) A security-disabled global group was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4750(S): A security-disabled global group was changed. diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index e72bc3b3a0..c86b86e123 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -2,7 +2,7 @@ title: 4751(S) A member was added to a security-disabled global group. (Windows 10) description: Describes security event 4751(S) A member was added to a security-disabled global group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4751(S): A member was added to a security-disabled global group. diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index b1fc1df98f..791b2886aa 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -2,7 +2,7 @@ title: 4752(S) A member was removed from a security-disabled global group. (Windows 10) description: Describes security event 4752(S) A member was removed from a security-disabled global group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4752(S): A member was removed from a security-disabled global group. diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index 0eef2ab038..501018ce26 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -2,7 +2,7 @@ title: 4753(S) A security-disabled global group was deleted. (Windows 10) description: Describes security event 4753(S) A security-disabled global group was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4753(S): A security-disabled global group was deleted. diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 86df9d9645..1697b853f9 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -1,8 +1,8 @@ --- title: 4764(S) A group's type was changed. (Windows 10) -description: "Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed." +description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4764(S): A group’s type was changed. diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index 3ea2c4e756..3a23558650 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -2,7 +2,7 @@ title: 4765(S) SID History was added to an account. (Windows 10) description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4765(S): SID History was added to an account. diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index d8dab9d004..afac5f0fe1 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -2,7 +2,7 @@ title: 4766(F) An attempt to add SID History to an account failed. (Windows 10) description: Describes security event 4766(F) An attempt to add SID History to an account failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4766(F): An attempt to add SID History to an account failed. diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index 87baefbc54..cf7b13e4f0 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -2,7 +2,7 @@ title: 4767(S) A user account was unlocked. (Windows 10) description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4767(S): A user account was unlocked. diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 1da086eb93..22df11d465 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -2,7 +2,7 @@ title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10) description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4768(S, F): A Kerberos authentication ticket (TGT) was requested. diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 64f7bf4503..522068cbbb 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -2,7 +2,7 @@ title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10) description: Describes security event 4769(S, F) A Kerberos service ticket was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4769(S, F): A Kerberos service ticket was requested. diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index 0085dcf3ff..8ec543b090 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -2,7 +2,7 @@ title: 4770(S) A Kerberos service ticket was renewed. (Windows 10) description: Describes security event 4770(S) A Kerberos service ticket was renewed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4770(S): A Kerberos service ticket was renewed. diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 9c6cb7f55a..840d05eefb 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -2,7 +2,7 @@ title: 4771(F) Kerberos pre-authentication failed. (Windows 10) description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 07/23/2020 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4771(F): Kerberos pre-authentication failed. diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 1119135008..2124b16bb1 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -2,7 +2,7 @@ title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10) description: Describes security event 4772(F) A Kerberos authentication ticket request failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4772(F): A Kerberos authentication ticket request failed. diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index 7a307bbea1..ba672478d8 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -2,7 +2,7 @@ title: 4773(F) A Kerberos service ticket request failed. (Windows 10) description: Describes security event 4773(F) A Kerberos service ticket request failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4773(F): A Kerberos service ticket request failed. diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 21a33e20a2..08eb0fe72f 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -2,7 +2,7 @@ title: 4774(S, F) An account was mapped for logon. (Windows 10) description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4774(S, F): An account was mapped for logon. diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index e444e1c1bd..cf27ccdf2a 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -2,7 +2,7 @@ title: 4775(F) An account could not be mapped for logon. (Windows 10) description: Describes security event 4775(F) An account could not be mapped for logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4775(F): An account could not be mapped for logon. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 2e759dcb4e..18bd592d00 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -2,7 +2,7 @@ title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4776(S, F): The computer attempted to validate the credentials for an account. diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index 4cdf40b163..28a4b42d08 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -2,7 +2,7 @@ title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10) description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4777(F): The domain controller failed to validate the credentials for an account. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 265b39dbcf..53c1eac2d8 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -2,7 +2,7 @@ title: 4778(S) A session was reconnected to a Window Station. (Windows 10) description: Describes security event 4778(S) A session was reconnected to a Window Station. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4778(S): A session was reconnected to a Window Station. diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index bd733289bb..76337cfdf8 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -2,7 +2,7 @@ title: 4779(S) A session was disconnected from a Window Station. (Windows 10) description: Describes security event 4779(S) A session was disconnected from a Window Station. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4779(S): A session was disconnected from a Window Station. diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 4a521896e8..dafa5d3ff1 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -2,7 +2,7 @@ title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10) description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4780(S): The ACL was set on accounts which are members of administrators groups. diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index a48651e686..2adb3bcac5 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -2,7 +2,7 @@ title: 4781(S) The name of an account was changed. (Windows 10) description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4781(S): The name of an account was changed. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index 571fdf3a93..a7907aed15 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -2,7 +2,7 @@ title: 4782(S) The password hash of an account was accessed. (Windows 10) description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4782(S): The password hash of an account was accessed. diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index f2bdc2b09f..d6fecbdbdf 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -2,7 +2,7 @@ title: 4793(S) The Password Policy Checking API was called. (Windows 10) description: Describes security event 4793(S) The Password Policy Checking API was called. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4793(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index 9ecf3cfcb7..6e585048c1 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -2,7 +2,7 @@ title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10) description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index 76e806ffcf..3fddfd9b65 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -2,7 +2,7 @@ title: 4798(S) A user's local group membership was enumerated. (Windows 10) description: Describes security event 4798(S) A user's local group membership was enumerated. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4798(S): A user's local group membership was enumerated. diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index c9963afbb0..18b337fcdc 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -2,7 +2,7 @@ title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10) description: Describes security event 4799(S) A security-enabled local group membership was enumerated. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4799(S): A security-enabled local group membership was enumerated. diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index b0be9a0f3a..92c543f8b0 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -2,7 +2,7 @@ title: 4800(S) The workstation was locked. (Windows 10) description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4800(S): The workstation was locked. diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index 61e2682379..ed7c8ec85c 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -2,7 +2,7 @@ title: 4801(S) The workstation was unlocked. (Windows 10) description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4801(S): The workstation was unlocked. diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index a00ead7497..9f5fa2b8e3 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -2,7 +2,7 @@ title: 4802(S) The screen saver was invoked. (Windows 10) description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4802(S): The screen saver was invoked. diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index 0354849e13..20304e4527 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -2,7 +2,7 @@ title: 4803(S) The screen saver was dismissed. (Windows 10) description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4803(S): The screen saver was dismissed. diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index 1efa9756ec..9e36c52bb1 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -2,7 +2,7 @@ title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10) description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4816(S): RPC detected an integrity violation while decrypting an incoming message. diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index efdf01da8a..48757706f8 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -2,7 +2,7 @@ title: 4817(S) Auditing settings on object were changed. (Windows 10) description: Describes security event 4817(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4817(S): Auditing settings on object were changed. diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 1134b02c0b..7da8723ef4 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -2,7 +2,7 @@ title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10) description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index c2de9d1e36..58fa2fcf24 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -2,7 +2,7 @@ title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10) description: Describes security event 4819(S) Central Access Policies on the machine have been changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4819(S): Central Access Policies on the machine have been changed. diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 3729924d93..29f4675931 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -2,7 +2,7 @@ title: 4826(S) Boot Configuration Data loaded. (Windows 10) description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4826(S): Boot Configuration Data loaded. diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index 5556b207b5..ca1995291e 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -2,7 +2,7 @@ title: 4864(S) A namespace collision was detected. (Windows 10) description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4864(S): A namespace collision was detected. diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 15e738f7be..e1ff8e242a 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -2,7 +2,7 @@ title: 4865(S) A trusted forest information entry was added. (Windows 10) description: Describes security event 4865(S) A trusted forest information entry was added. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4865(S): A trusted forest information entry was added. diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index e0f05fbf3e..f189e60e01 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -2,7 +2,7 @@ title: 4866(S) A trusted forest information entry was removed. (Windows 10) description: Describes security event 4866(S) A trusted forest information entry was removed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4866(S): A trusted forest information entry was removed. diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index ae2bf03bb6..9635b1cd74 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -2,7 +2,7 @@ title: 4867(S) A trusted forest information entry was modified. (Windows 10) description: Describes security event 4867(S) A trusted forest information entry was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4867(S): A trusted forest information entry was modified. diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index c8b89b375c..d5a7640b84 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -2,7 +2,7 @@ title: 4902(S) The Per-user audit policy table was created. (Windows 10) description: Describes security event 4902(S) The Per-user audit policy table was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4902(S): The Per-user audit policy table was created. diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index cfd3f1c0fe..d22ff00643 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -2,7 +2,7 @@ title: 4904(S) An attempt was made to register a security event source. (Windows 10) description: Describes security event 4904(S) An attempt was made to register a security event source. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4904(S): An attempt was made to register a security event source. diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index bfc9d5bbb9..aa98ea5517 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -2,7 +2,7 @@ title: 4905(S) An attempt was made to unregister a security event source. (Windows 10) description: Describes security event 4905(S) An attempt was made to unregister a security event source. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4905(S): An attempt was made to unregister a security event source. diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 7782a6571d..617b7a2597 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -2,7 +2,7 @@ title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10) description: Describes security event 4906(S) The CrashOnAuditFail value has changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4906(S): The CrashOnAuditFail value has changed. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 6610d670eb..74edaaa9a3 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -2,7 +2,7 @@ title: 4907(S) Auditing settings on object were changed. (Windows 10) description: Describes security event 4907(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4907(S): Auditing settings on object were changed. diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 7573adb5f7..3a12a949e0 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -2,7 +2,7 @@ title: 4908(S) Special Groups Logon table modified. (Windows 10) description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4908(S): Special Groups Logon table modified. diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 2acda55983..9c3b067418 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -2,7 +2,7 @@ title: 4909(-) The local policy settings for the TBS were changed. (Windows 10) description: Describes security event 4909(-) The local policy settings for the TBS were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4909(-): The local policy settings for the TBS were changed. diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index 8b90247c65..948c3a6dab 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -2,7 +2,7 @@ title: 4910(-) The group policy settings for the TBS were changed. (Windows 10) description: Describes security event 4910(-) The group policy settings for the TBS were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4910(-): The group policy settings for the TBS were changed. diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index bbd17b1660..cf47c889e0 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -2,7 +2,7 @@ title: 4911(S) Resource attributes of the object were changed. (Windows 10) description: Describes security event 4911(S) Resource attributes of the object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4911(S): Resource attributes of the object were changed. diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index cf141b9a2d..e4bc6d9d43 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -2,7 +2,7 @@ title: 4912(S) Per User Audit Policy was changed. (Windows 10) description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4912(S): Per User Audit Policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 3be7e9bec3..95f0aa8b70 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -2,7 +2,7 @@ title: 4913(S) Central Access Policy on the object was changed. (Windows 10) description: Describes security event 4913(S) Central Access Policy on the object was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4913(S): Central Access Policy on the object was changed. diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 664b36c1ca..45fa768785 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -2,7 +2,7 @@ title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10) description: Describes security event 4928(S, F) An Active Directory replica source naming context was established. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4928(S, F): An Active Directory replica source naming context was established. diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index b5a1ba430e..9e126439a2 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -2,7 +2,7 @@ title: 4929(S, F) An Active Directory replica source naming context was removed. (Windows 10) description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4929(S, F): An Active Directory replica source naming context was removed. diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index f7b993d3a9..42d488915d 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -2,7 +2,7 @@ title: 4930(S, F) An Active Directory replica source naming context was modified. (Windows 10) description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4930(S, F): An Active Directory replica source naming context was modified. diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 3f02d54421..fc3a7fc61f 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -2,7 +2,7 @@ title: 4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10) description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4931(S, F): An Active Directory replica destination naming context was modified. diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 615a83328d..4450fb0acc 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -2,7 +2,7 @@ title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10) description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4932(S): Synchronization of a replica of an Active Directory naming context has begun. diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index b5fbe33942..1143269597 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -2,7 +2,7 @@ title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10) description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended. diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index 4a5890af24..ffc4b9b4a3 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -2,7 +2,7 @@ title: 4934(S) Attributes of an Active Directory object were replicated. (Windows 10) description: Describes security event 4934(S) Attributes of an Active Directory object were replicated. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4934(S): Attributes of an Active Directory object were replicated. diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index c9e2159bc0..f2910784e6 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -2,7 +2,7 @@ title: 4935(F) Replication failure begins. (Windows 10) description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4935(F): Replication failure begins. diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index d9d60e43be..3f808bf11d 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -2,7 +2,7 @@ title: 4936(S) Replication failure ends. (Windows 10) description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4936(S): Replication failure ends. diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 8fb915289b..2775be1c5d 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -2,7 +2,7 @@ title: 4937(S) A lingering object was removed from a replica. (Windows 10) description: Describes security event 4937(S) A lingering object was removed from a replica. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4937(S): A lingering object was removed from a replica. diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index ca2c97045e..1b6522a256 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -2,7 +2,7 @@ title: 4944(S) The following policy was active when the Windows Firewall started. (Windows 10) description: Describes security event 4944(S) The following policy was active when the Windows Firewall started. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4944(S): The following policy was active when the Windows Firewall started. diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index 74d3f7c688..da8105bffc 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -2,7 +2,7 @@ title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10) description: Describes security event 4945(S) A rule was listed when the Windows Firewall started. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4945(S): A rule was listed when the Windows Firewall started. diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 4ff3dd9f1d..30ae25fd28 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -2,7 +2,7 @@ title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10) description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4946(S): A change has been made to Windows Firewall exception list. A rule was added. diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index a4906d1dbc..b38eef6371 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -2,7 +2,7 @@ title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10) description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4947(S): A change has been made to Windows Firewall exception list. A rule was modified. diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 5c86cb55c9..5f92a37c6a 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -2,7 +2,7 @@ title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10) description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index 983159d9e8..e304844bc8 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -2,7 +2,7 @@ title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10) description: Describes security event 4949(S) Windows Firewall settings were restored to the default values. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4949(S): Windows Firewall settings were restored to the default values. diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index eb6c3770c9..54ead99c65 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -2,7 +2,7 @@ title: 4950(S) A Windows Firewall setting has changed. (Windows 10) description: Describes security event 4950(S) A Windows Firewall setting has changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4950(S): A Windows Firewall setting has changed. diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index ff8ed88bdb..4a2c32b9e2 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -2,7 +2,7 @@ title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10) description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index 0bd8a3b9b6..150a0ac97d 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -2,7 +2,7 @@ title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10) description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 1e9dcd7898..38d9aa6a3d 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -2,7 +2,7 @@ title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10) description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4953(F): Windows Firewall ignored a rule because it could not be parsed. diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index b58926388b..99bb6457e2 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -2,7 +2,7 @@ title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10) description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index 6af6a50864..34d36fa5d0 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -2,7 +2,7 @@ title: 4956(S) Windows Firewall has changed the active profile. (Windows 10) description: Describes security event 4956(S) Windows Firewall has changed the active profile. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4956(S): Windows Firewall has changed the active profile. diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 396a5b587d..8b822ee84c 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -2,7 +2,7 @@ title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) description: Describes security event 4957(F) Windows Firewall did not apply the following rule. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4957(F): Windows Firewall did not apply the following rule. diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 14d3b2ad4b..05922fd7a7 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -2,7 +2,7 @@ title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 4cd9707147..0ee97ac194 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -2,7 +2,7 @@ title: 4964(S) Special groups have been assigned to a new logon. (Windows 10) description: Describes security event 4964(S) Special groups have been assigned to a new logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4964(S): Special groups have been assigned to a new logon. diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index 2a98d42db6..9b3680639b 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -2,7 +2,7 @@ title: 4985(S) The state of a transaction has changed. (Windows 10) description: Describes security event 4985(S) The state of a transaction has changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4985(S): The state of a transaction has changed. diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index 9dede9c866..b24cd95e31 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -2,7 +2,7 @@ title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10) description: Describes security event 5024(S) The Windows Firewall Service has started successfully. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5024(S): The Windows Firewall Service has started successfully. diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index d6a60c5da2..a9a3c5e14b 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -2,7 +2,7 @@ title: 5025(S) The Windows Firewall Service has been stopped. (Windows 10) description: Describes security event 5025(S) The Windows Firewall Service has been stopped. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5025(S): The Windows Firewall Service has been stopped. diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 23bf6e5c30..4ea2177c6b 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -1,8 +1,8 @@ --- title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10) -description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. +description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 8929b86d33..9ab51ca985 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -2,7 +2,7 @@ title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10) description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index dcdda6a60f..46d9b7b3e7 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -2,7 +2,7 @@ title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10) description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 37d3844e1f..de68bc30db 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -2,7 +2,7 @@ title: 5030(F) The Windows Firewall Service failed to start. (Windows 10) description: Describes security event 5030(F) The Windows Firewall Service failed to start. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5030(F): The Windows Firewall Service failed to start. diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index e6bcd4a68c..7453df6988 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -5,11 +5,12 @@ manager: dansimp ms.author: dansimp description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp +ms.technology: mde --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index 02b5e5768f..a356c6ba72 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -2,7 +2,7 @@ title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10) description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index 834f4c95b8..05552da629 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -2,7 +2,7 @@ title: 5033(S) The Windows Firewall Driver has started successfully. (Windows 10) description: Describes security event 5033(S) The Windows Firewall Driver has started successfully. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5033(S): The Windows Firewall Driver has started successfully. diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index c3f04488fa..7cef4c54e0 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -2,7 +2,7 @@ title: 5034(S) The Windows Firewall Driver was stopped. (Windows 10) description: Describes security event 5034(S) The Windows Firewall Driver was stopped. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5034(S): The Windows Firewall Driver was stopped. diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index 2815638be4..6b9d8a9488 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -2,7 +2,7 @@ title: 5035(F) The Windows Firewall Driver failed to start. (Windows 10) description: Describes security event 5035(F) The Windows Firewall Driver failed to start. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5035(F): The Windows Firewall Driver failed to start. diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index 026d2c2985..a189ce3f21 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -2,7 +2,7 @@ title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10) description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating. diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 15bd4ad7e1..eac7f9eea0 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -2,7 +2,7 @@ title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 1f6c100b8d..fda19e5f16 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -2,7 +2,7 @@ title: 5039(-) A registry key was virtualized. (Windows 10) description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5039(-): A registry key was virtualized. diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 0bf8362113..3ac07671d2 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -2,7 +2,7 @@ title: 5051(-) A file was virtualized. (Windows 10) description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5051(-): A file was virtualized. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index 96e278db56..a717d05e4a 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -2,7 +2,7 @@ title: 5056(S) A cryptographic self-test was performed. (Windows 10) description: Describes security event 5056(S) A cryptographic self-test was performed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5056(S): A cryptographic self-test was performed. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index eb3cc568ab..c83ca8bd2e 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -2,7 +2,7 @@ title: 5057(F) A cryptographic primitive operation failed. (Windows 10) description: Describes security event 5057(F) A cryptographic primitive operation failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5057(F): A cryptographic primitive operation failed. diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index 008ecb3292..5f999b36d1 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -2,7 +2,7 @@ title: 5058(S, F) Key file operation. (Windows 10) description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5058(S, F): Key file operation. diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index 096fcfe2c9..e7c0a1264b 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -2,7 +2,7 @@ title: 5059(S, F) Key migration operation. (Windows 10) description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5059(S, F): Key migration operation. diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index e24e71d924..11b9903d5d 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -2,7 +2,7 @@ title: 5060(F) Verification operation failed. (Windows 10) description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5060(F): Verification operation failed. diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index d283324906..a7f832d34b 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -2,7 +2,7 @@ title: 5061(S, F) Cryptographic operation. (Windows 10) description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5061(S, F): Cryptographic operation. diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index 0d9e37b259..e397844d41 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -2,7 +2,7 @@ title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10) description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5062(S): A kernel-mode cryptographic self-test was performed. diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 159cda1e2b..e06e3118a6 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -2,7 +2,7 @@ title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10) description: Describes security event 5063(S, F) A cryptographic provider operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5063(S, F): A cryptographic provider operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index a5c3c577e0..77da8c5596 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -2,7 +2,7 @@ title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10) description: Describes security event 5064(S, F) A cryptographic context operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5064(S, F): A cryptographic context operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 0f5d4dd997..7c46971bc8 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -2,7 +2,7 @@ title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10) description: Describes security event 5065(S, F) A cryptographic context modification was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5065(S, F): A cryptographic context modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 9c5f389dcf..c78b0bd513 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -2,7 +2,7 @@ title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10) description: Describes security event 5066(S, F) A cryptographic function operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5066(S, F): A cryptographic function operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 6ab1f5a7c1..eae3eb2038 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -2,7 +2,7 @@ title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10) description: Describes security event 5067(S, F) A cryptographic function modification was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5067(S, F): A cryptographic function modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index fb084fd8dd..1cb02be991 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -2,7 +2,7 @@ title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10) description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5068(S, F): A cryptographic function provider operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 64dbd91086..104d55f067 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -2,7 +2,7 @@ title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10) description: Describes security event 5069(S, F) A cryptographic function property operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5069(S, F): A cryptographic function property operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index ce069a495c..0cb592e4d4 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -2,7 +2,7 @@ title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10) description: Describes security event 5070(S, F) A cryptographic function property modification was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5070(S, F): A cryptographic function property modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index a5708a86f6..58301baf30 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -2,7 +2,7 @@ title: 5136(S) A directory service object was modified. (Windows 10) description: Describes security event 5136(S) A directory service object was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5136(S): A directory service object was modified. diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index 8d1d729333..959ae8dbd8 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -2,7 +2,7 @@ title: 5137(S) A directory service object was created. (Windows 10) description: Describes security event 5137(S) A directory service object was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5137(S): A directory service object was created. diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 75cebe45a7..54582252c1 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -2,7 +2,7 @@ title: 5138(S) A directory service object was undeleted. (Windows 10) description: Describes security event 5138(S) A directory service object was undeleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5138(S): A directory service object was undeleted. diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index fe3921db6f..2860791322 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -2,7 +2,7 @@ title: 5139(S) A directory service object was moved. (Windows 10) description: Describes security event 5139(S) A directory service object was moved. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5139(S): A directory service object was moved. diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 3d3d5152cc..199e5a4cd7 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -2,7 +2,7 @@ title: 5140(S, F) A network share object was accessed. (Windows 10) description: Describes security event 5140(S, F) A network share object was accessed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5140(S, F): A network share object was accessed. diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index 221a5c56cf..09e46f5b1b 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -2,7 +2,7 @@ title: 5141(S) A directory service object was deleted. (Windows 10) description: Describes security event 5141(S) A directory service object was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5141(S): A directory service object was deleted. diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index fdb2fe2741..d29c26ddc4 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -2,7 +2,7 @@ title: 5142(S) A network share object was added. (Windows 10) description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5142(S): A network share object was added. diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index a62699a745..bc8f827e03 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -2,7 +2,7 @@ title: 5143(S) A network share object was modified. (Windows 10) description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5143(S): A network share object was modified. diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 581c19e3c9..886dc70759 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -2,7 +2,7 @@ title: 5144(S) A network share object was deleted. (Windows 10) description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5144(S): A network share object was deleted. diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index f5ec73669e..dee8d57794 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -2,7 +2,7 @@ title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10) description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5145(S, F): A network share object was checked to see whether client can be granted desired access. diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 6787ac6329..23a31eb1a6 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -2,7 +2,7 @@ title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10) description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 05/29/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 59386a8ef4..04f6c8747a 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -2,7 +2,7 @@ title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10) description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 05/29/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5149(F): The DoS attack has subsided and normal processing is being resumed. diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index c1f8d98680..018894b1cf 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -2,7 +2,7 @@ title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5150(-): The Windows Filtering Platform blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 699a093def..1b55b64d41 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -2,7 +2,7 @@ title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index ece1e4566d..d89a240a64 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -2,7 +2,7 @@ title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5152(F): The Windows Filtering Platform blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index 8751b40002..ce3f53f60d 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -2,7 +2,7 @@ title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index b464c877d6..5083012650 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -2,7 +2,7 @@ title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10) description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 9964b6f390..7d6eac1919 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -2,7 +2,7 @@ title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10) description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index d44b9a921f..8c1116cba5 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -2,7 +2,7 @@ title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10) description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5156(S): The Windows Filtering Platform has permitted a connection. diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 88bc5b1315..2f2b2cd8fd 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -2,7 +2,7 @@ title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10) description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5157(F): The Windows Filtering Platform has blocked a connection. diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index 76bb82efef..63753bbc2b 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -2,7 +2,7 @@ title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10) description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5158(S): The Windows Filtering Platform has permitted a bind to a local port. diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 460e244dd8..b5b867bc47 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -2,7 +2,7 @@ title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10) description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5159(F): The Windows Filtering Platform has blocked a bind to a local port. diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index fcc35ba385..819d9f191e 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -2,7 +2,7 @@ title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10) description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5168(F): SPN check for SMB/SMB2 failed. diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index f888db6fb2..3d7cc2e623 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -2,7 +2,7 @@ title: 5376(S) Credential Manager credentials were backed up. (Windows 10) description: Describes security event 5376(S) Credential Manager credentials were backed up. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5376(S): Credential Manager credentials were backed up. diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index 1ed830b074..98ccff769a 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -2,7 +2,7 @@ title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10) description: Describes security event 5377(S) Credential Manager credentials were restored from a backup. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5377(S): Credential Manager credentials were restored from a backup. diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index bb48a36562..04395a702b 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -2,7 +2,7 @@ title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10) description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5378(F): The requested credentials delegation was disallowed by policy. diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 89dd2b5bf0..a647b4c565 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -2,7 +2,7 @@ title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10) description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5447(S): A Windows Filtering Platform filter has been changed. diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index 756db4ebbf..0870e6a7fc 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -2,7 +2,7 @@ title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10) description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5632(S, F): A request was made to authenticate to a wireless network. diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index d85599c157..1bb8d2d300 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -2,7 +2,7 @@ title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10) description: Describes security event 5633(S, F) A request was made to authenticate to a wired network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5633(S, F): A request was made to authenticate to a wired network. diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 2fae83e65f..5bb81e6f09 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -2,7 +2,7 @@ title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10) description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5712(S): A Remote Procedure Call (RPC) was attempted. diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 43f79ed55d..8531945a54 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -2,7 +2,7 @@ title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10) description: Describes security event 5888(S) An object in the COM+ Catalog was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5888(S): An object in the COM+ Catalog was modified. diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index 5daae37ce0..3fe376f85c 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -2,7 +2,7 @@ title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10) description: Describes security event 5889(S) An object was deleted from the COM+ Catalog. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5889(S): An object was deleted from the COM+ Catalog. diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index f5f0c81561..9a90b1a6a3 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -2,7 +2,7 @@ title: 5890(S) An object was added to the COM+ Catalog. (Windows 10) description: Describes security event 5890(S) An object was added to the COM+ Catalog. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5890(S): An object was added to the COM+ Catalog. diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 7f0df8a521..7565e8f794 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -2,7 +2,7 @@ title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10) description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6144(S): Security policy in the group policy objects has been applied successfully. diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index c9a27526cd..8b541749d6 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -2,7 +2,7 @@ title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10) description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6145(F): One or more errors occurred while processing security policy in the group policy objects. diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index e8dfb2d7cf..b4d79cbbdb 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -2,7 +2,7 @@ title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10) description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 7a379132bc..acefc262d9 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -2,7 +2,7 @@ title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10) description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 1ce4c083dd..1b442d10d9 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -2,7 +2,7 @@ title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10) description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6401(-): BranchCache: Received invalid data from a peer. Data discarded. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index dde20455d3..77a10ac4dc 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -2,7 +2,7 @@ title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10) description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index e8020581ad..d730acb9d3 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -2,7 +2,7 @@ title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10) description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 43228f26be..808c8e4264 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -2,7 +2,7 @@ title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10) description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index ea59bc3fc7..2638753673 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -2,7 +2,7 @@ title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10) description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index d70fac0adb..11cef9058e 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -2,7 +2,7 @@ title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10) description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index ca5e8e02d6..1e3d0cbd85 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -2,7 +2,7 @@ title: 6407(-) 1%. (Windows 10) description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6407(-): 1%. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index ffb33ccdee..d3bd29901c 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -2,7 +2,7 @@ title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10) description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index e1f76dbf69..97d212be9a 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -2,7 +2,7 @@ title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10) description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6409(-): BranchCache: A service connection point object could not be parsed. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index b13bbde8fc..a8980cfb49 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -2,7 +2,7 @@ title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10) description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 6e4c4af309..4b85673aa7 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -2,7 +2,7 @@ title: 6416(S) A new external device was recognized by the System. (Windows 10) description: Describes security event 6416(S) A new external device was recognized by the System. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6416(S): A new external device was recognized by the System. diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index e5c1d7fab1..90c145ff77 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -2,7 +2,7 @@ title: 6419(S) A request was made to disable a device. (Windows 10) description: Describes security event 6419(S) A request was made to disable a device. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6419(S): A request was made to disable a device. diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 2ede6f7fce..51570d3ab3 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -2,7 +2,7 @@ title: 6420(S) A device was disabled. (Windows 10) description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6420(S): A device was disabled. diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index 4994eafbd7..ef4e0b856f 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -2,7 +2,7 @@ title: 6421(S) A request was made to enable a device. (Windows 10) description: Describes security event 6421(S) A request was made to enable a device. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6421(S): A request was made to enable a device. diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 606f0228a6..2b2f45d1b8 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -2,7 +2,7 @@ title: 6422(S) A device was enabled. (Windows 10) description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6422(S): A device was enabled. diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 67b96baef5..3332a01011 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -2,7 +2,7 @@ title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10) description: Describes security event 6423(S) The installation of this device is forbidden by system policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6423(S): The installation of this device is forbidden by system policy. diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 4e21756137..8ca1ce36d6 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -2,7 +2,7 @@ title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10) description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6424(S): The installation of this device was allowed, after having previously been forbidden by policy. diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index c9d3a1c9ba..1093140e38 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -4,7 +4,7 @@ description: The policy setting, File System (Global Object Access Auditing), en ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # File System (Global Object Access Auditing) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 58bd7574f2..1efc819647 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -1,7 +1,7 @@ --- title: How to get a list of XML data name elements in (Windows 10) description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -11,6 +11,7 @@ ms.date: 10/22/2018 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # How to get a list of XML data name elements in EventData diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 51cb23c22b..5331884d19 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -4,7 +4,7 @@ description: Learn how to use advanced security auditing options to monitor chan ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor central access policy and rule definitions diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index d2369fe778..50b89da04a 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -4,7 +4,7 @@ description: Learn how to monitor changes to claim types that are associated wit ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor claim types diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index 14dccc71b4..6d433c9bcd 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -4,7 +4,7 @@ description: Learn how to monitor changes to resource attribute definitions when ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor resource attribute definitions diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index e6131584e5..d1429af0f1 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -4,7 +4,7 @@ description: Monitor changes to central access policies associated with files an ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor the central access policies associated with files and folders diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index fac29703cb..36bd40c78c 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -4,7 +4,7 @@ description: Learn how to monitor changes to the central access policies that ap ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor the central access policies that apply on a file server diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index e1418e2ad9..243c686c50 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -4,7 +4,7 @@ description: Learn how to use advanced security auditing options to monitor atte ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor the resource attributes on files and folders diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 30ed1af8fc..ef0df1f2a8 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -4,7 +4,7 @@ description: Learn how advanced security auditing options can be used to monitor ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +14,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: +ms.date: +ms.technology: mde --- # Monitor the use of removable storage devices diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index 606e073432..7f14c10bd0 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -4,7 +4,7 @@ description: Learn how to monitor user and device claims that are associated wit ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Monitor user and device claims during sign-in diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index 42a1f36edd..e74cf80553 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -2,7 +2,7 @@ title: Other Events (Windows 10) description: Describes the Other Events auditing subcategory, which includes events that are generated automatically and enabled by default. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Other Events diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 2bc61ffce1..78bb89bc17 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -4,7 +4,7 @@ description: Learn to deploy an effective security audit policy in a network tha ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Plan and deploy advanced security audit policies diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index 88585f3a9a..3c5c1ece1e 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -4,7 +4,7 @@ description: The Advanced Security Audit policy setting, Registry (Global Object ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Registry (Global Object Access Auditing) diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index 8859ea5f7e..ba71110680 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -4,7 +4,7 @@ description: Learn about security auditing features in Windows, and how your org ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Security auditing diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 91e999ee6e..9f9218109c 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -4,7 +4,7 @@ description: Domain admins can set up advanced security audit options in Windows ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Using advanced security auditing options to monitor dynamic access control objects diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index 7c25bfb2f8..84a296e182 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -4,7 +4,7 @@ description: The security log records each event as defined by the audit policie ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # View the security event log diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 92cdd0107e..4b20841dd8 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -4,7 +4,7 @@ description: This reference topic for the IT professional describes which versio ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Which editions of Windows support advanced audit policy configuration diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 70362c9d1c..fa3a798839 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -1,29 +1,30 @@ --- title: Block untrusted fonts in an enterprise (Windows 10) -description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. +description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 ms.reviewer: manager: dansimp keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library -author: dulcemontemayor +author: dansimp ms.author: dansimp ms.date: 08/14/2017 ms.localizationpriority: medium +ms.technology: mde --- # Block untrusted fonts in an enterprise **Applies to:** -- Windows 10 +- Windows 10 ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). +> Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. +To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. ## What does this mean for me? Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on. @@ -31,24 +32,27 @@ Blocking untrusted fonts helps improve your network and employee protection agai ## How does this feature work? There are 3 ways to use this feature: -- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. +- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. -- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.

**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. +- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log. -- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). + > [!NOTE] + > If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. + +- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). ## Potential reductions in functionality After you turn this feature on, your employees might experience reduced functionality when: -- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. +- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. -- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302). +- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302). -- Using first or third-party apps that use memory-based fonts. +- Using first or third-party apps that use memory-based fonts. -- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently. +- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently. -- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. +- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature Use Group Policy or the registry to turn this feature on, off, or to use audit mode. @@ -56,9 +60,9 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m **To turn on and use the Blocking Untrusted Fonts feature through Group Policy** 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. -2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: +2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**: - - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. @@ -73,9 +77,9 @@ To turn this feature on, off, or to use audit mode: 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Right click on the **MitigationOptions** key, and then click **Modify**. +3. Right click on the **MitigationOptions** key, and then click **Modify**. - The **Edit QWORD (64-bit) Value** box opens. + The **Edit QWORD (64-bit) Value** box opens. 4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: @@ -85,8 +89,8 @@ To turn this feature on, off, or to use audit mode: - **To audit with this feature.** Type **3000000000000**. - >[!Important] - >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. + > [!Important] + > Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 5. Restart your computer. @@ -104,27 +108,27 @@ After you turn this feature on, or start using Audit mode, you can look at your FontType: Memory
FontPath:
Blocked: true - - >[!NOTE] - >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + > [!NOTE] + > Because the **FontType** is *Memory*, there’s no associated **FontPath**. **Event Example 2 - Winlogon**
Winlogon.exe attempted loading a font that is restricted by font-loading policy.
FontType: File
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
Blocked: true - - >[!NOTE] - >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + > [!NOTE] + > Because the **FontType** is *File*, there’s also an associated **FontPath**. **Event Example 3 - Internet Explorer running in Audit mode**
Iexplore.exe attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: false - - >[!NOTE] - >In Audit mode, the problem is recorded, but the font isn’t blocked. + + > [!NOTE] + > In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -133,21 +137,15 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by installing the problematic fonts (recommended)** -- On each computer with the app installed, right-click on the font name and click **Install**.

The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there. +- On each computer with the app installed, right-click on the font name and click **Install**.

The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there. **To fix your apps by excluding processes** 1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic. +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. + - ## Related content -- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/) - - - - - - +- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/) diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index af17bfed1e..50746cadf8 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -1,9 +1,9 @@ --- -title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +title: "Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)" ms.reviewer: ms.author: dansimp -description: This topic lists new and updated topics in the WWindows Defender ATP content set. -ms.prod: w10 +description: This topic lists new and updated topics in the Defender for Endpoint content set. +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,14 +13,15 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.localizationpriority: medium +ms.technology: mde --- # Change history for threat protection -This topic lists new and updated topics in the [Microsoft Defender ATP](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation. +This topic lists new and updated topics in the [Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation. ## August 2018 New or changed topic | Description ---------------------|------------ -[Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform. +[Microsoft Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform. diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index add9bc1309..1c2d45ad8e 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -1,7 +1,7 @@ --- title: How to control USB devices and other removable media using Intune (Windows 10) description: You can configure Intune settings to reduce threats from removable storage such as USB devices. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -11,15 +11,16 @@ author: dansimp ms.reviewer: dansimp manager: dansimp audience: ITPro +ms.technology: mde --- -# How to control USB devices and other removable media using Microsoft Defender ATP +# How to control USB devices and other removable media using Microsoft Defender for Endpoint -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: +Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: -1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity. +1. [Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity. 2. Configure to allow or block only certain removable devices and prevent threats. 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. @@ -28,22 +29,22 @@ Microsoft recommends [a layered approach to securing removable media](https://ak - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware. - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB. - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in. -3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). +3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). 4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral. >[!Note] ->These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender ATP and Azure Information Protection. +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection. ## Discover plug and play connected events -You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. -For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +You can view plug and play connected events in Microsoft Defender for Endpoint advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Defender for Endpoint advanced hunting queries, see the [Microsoft Defender for Endpoint hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). -Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration. +Sample Power BI report templates are available for Microsoft Defender for Endpoint that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration. ## Allow or block removable devices -The following table describes the ways Microsoft Defender ATP can allow or block removable devices based on granular configuration. +The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration. | Control | Description | |----------|-------------| @@ -54,11 +55,11 @@ The following table describes the ways Microsoft Defender ATP can allow or block | [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. | | [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. | | [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. | -| [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. | +| [Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings) | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. | ### Restrict USB drives and other peripherals -To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB drives and other peripherals. +To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals. | Control | Description |----------|-------------| @@ -75,7 +76,7 @@ The above policies can also be set through the [Device Installation CSP settings > [!Note] > Always test and refine these settings with a pilot group of users and devices first before applying them in production. -For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). +For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). #### Allow installation and usage of USB drives and other peripherals @@ -189,7 +190,7 @@ Allowing installation of specific devices requires also enabling [DeviceInstalla ### Prevent installation of specifically prohibited peripherals -Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options: +Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options: - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). @@ -212,26 +213,26 @@ Using Intune, you can limit the services that can use Bluetooth through the ["Bl ![Bluetooth](images/bluetooth.png) -### Use Microsoft Defender ATP baseline settings +### Use Microsoft Defender for Endpoint baseline settings -The Microsoft Defender ATP baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings. +The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings. ![Baselines](images/baselines.png) ## Prevent threats from removable storage -Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can help identify and block malicious files on removable storage devices. +Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices. -Microsoft Defender ATP can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. +Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge. >[!NOTE] >Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization. -The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage. +The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage. -For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://aka.ms/devicecontrolblog). +For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://aka.ms/devicecontrolblog). | Control | Description | |----------|-------------| @@ -266,29 +267,17 @@ Affected file types include executable files (such as .exe, .dll, or .scr) and s These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). -2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. - - ![Create device configuration profile](images/create-device-configuration-profile.png) - +1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +2. Click **Devices** > **Windows** > **Configuration Policies** > **Create profile**. +![Create device configuration profile](images/create-device-configuration-profile.png) 3. Use the following settings: - - - Name: Type a name for the profile - - Description: Type a description - - Platform: Windows 10 or later - - Profile type: Endpoint protection - - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) - -4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. - + - Platform: Windows 10 and later + - Profile type: Device restrictions + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) +4. Click **Create**. 5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. - ![Block untrusted processes](images/block-untrusted-processes.png) - -6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. - -7. Click **Create** to save the profile. +6. Click **OK** to close settings and **Device restrictions**. ### Protect against Direct Memory Access (DMA) attacks @@ -327,7 +316,7 @@ For information on device control related advance hunting events and examples on ## Respond to threats -You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors. +You can create custom alerts and automatic response actions with the [Microsoft Defender for Endpoint Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender for Endpoint connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors. For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine. diff --git a/windows/security/threat-protection/device-control/device-control-report.md b/windows/security/threat-protection/device-control/device-control-report.md new file mode 100644 index 0000000000..2c35de2163 --- /dev/null +++ b/windows/security/threat-protection/device-control/device-control-report.md @@ -0,0 +1,74 @@ +--- +title: Protect your organization’s data with device control +description: Monitor your organization's data security through device control reports. +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +ms.author: v-ajupudi +author: alluthewriter +ms.reviewer: dansimp +manager: dansimp +audience: ITPro +ms.technology: mde +--- +# Protect your organization’s data with device control + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Microsoft Defender for Endpoint device control protects against data loss, by monitoring and controlling media use by devices in your organization, such as the use of removable storage devices and USB drives. + +With the device control report, you can view events that relate to media usage, such as: + +- **Audit events:** Shows the number of audit events that occur when external media is connected. +- **Policy events:** Shows the number of policy events that occur when a device control policy is triggered. + +> [!NOTE] +> The audit event to track media usage is enabled by default for devices onboarded to Microsoft Defender for Endpoint. + +## Understanding the audit events + +The audit events include: + +- **USB drive mount and unmount:** Audit events that are generated when a USB drive is mounted or unmounted. +- **PnP:** Plug and Play audit events are generated when removable storage, a printer, or Bluetooth media is connected. + +## Monitor device control security + +Device control in Microsoft Defender for Endpoint empowers security administrators with tools that enable them to track their organization’s device control security through reports. You can find the device control report in the Microsoft 365 security center by going to **Reports > Device protection**. + +The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days. + +> [!div class="mx-imgBorder"] +> ![DeviceControlReportCard](images/devicecontrolcard.png) + +The **View details** button shows more media usage data in the **device control report** page. + +The page provides a dashboard with aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID. + +> [!div class="mx-imgBorder"] +> ![DeviceControlReportDetails](images/Detaileddevicecontrolreport.png) + +When you select an event, a flyout appears that shows you more information: + +- **General details:** Date, Action mode, and the policy of this event. +- **Media information:** Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Volume, Serial number, and Bus type. +- **Location details:** Device name and MDATP device ID. + +> [!div class="mx-imgBorder"] +> ![FilterOnDeviceControlReport](images/devicecontrolreportfilter.png) + +To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, pre-defined query. + +> [!div class="mx-imgBorder"] +> ![QueryOnDeviceControlReport](images/Devicecontrolreportquery.png) + +To see the security of the device, select the **Open device page** button on the flyout. This button opens the device entity page. + +> [!div class="mx-imgBorder"] +> ![DeviceEntityPage](images/Devicesecuritypage.png) + +## Reporting delays + +The device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list. diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png new file mode 100644 index 0000000000..1943ec1fab Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png differ diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png new file mode 100644 index 0000000000..6913ecfcc6 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png differ diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png new file mode 100644 index 0000000000..d35b3507f8 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png index 1b6d4aa708..4b8c80fdd7 100644 Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png index ada168228e..b0b7eb7237 100644 Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and b/windows/security/threat-protection/device-control/images/create-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png new file mode 100644 index 0000000000..829014859f Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicecontrolcard.png differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png new file mode 100644 index 0000000000..a7cd33c892 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png differ diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 35846937a0..1c2019f4f1 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -1,7 +1,7 @@ --- title: Enable virtualization-based protection of code integrity description: This article explains the steps to opt in to using HVCI on Windows devices. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: ellevin @@ -12,13 +12,12 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/01/2019 ms.reviewer: +ms.technology: mde --- # Enable virtualization-based protection of code integrity -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. @@ -198,7 +197,7 @@ Value | Description **5.** | If present, NX protections are available. **6.** | If present, SMM mitigations are available. **7.** | If present, Mode Based Execution Control is available. - +**8.** | If present, APIC virtualization is available. #### InstanceIdentifier @@ -229,6 +228,7 @@ Value | Description **1.** | If present, Windows Defender Credential Guard is configured. **2.** | If present, HVCI is configured. **3.** | If present, System Guard Secure Launch is configured. +**4.** | If present, SMM Firmware Measurement is configured. #### SecurityServicesRunning @@ -240,6 +240,7 @@ Value | Description **1.** | If present, Windows Defender Credential Guard is running. **2.** | If present, HVCI is running. **3.** | If present, System Guard Secure Launch is running. +**4.** | If present, SMM Firmware Measurement is running. #### Version diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index f60748b37b..5b4942082c 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,16 +1,16 @@ --- -title: WDAC and virtualization-based code integrity (Windows 10) -description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC). +title: Windows Defender Application Control and virtualization-based code integrity (Windows 10) +description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC). keywords: virtualization, security, malware, device guard -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 07/01/2019 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Windows Defender Application Control and virtualization-based protection of code integrity @@ -19,24 +19,24 @@ ms.custom: asr - Windows 10 - Windows Server 2016 -Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). +Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI). -Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. +Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices. Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions: 1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. -3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. -4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution. +3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. +4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution. ## Windows Defender Application Control -When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. +When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability. -Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). +Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). We hope this change will help us better communicate options for adopting application control within an organization. ## Related articles diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md index 3ebdf7bf95..d743f3eae6 100644 --- a/windows/security/threat-protection/device-guard/memory-integrity.md +++ b/windows/security/threat-protection/device-guard/memory-integrity.md @@ -3,7 +3,7 @@ title: Memory integrity keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,13 +12,12 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Memory integrity -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index d594900ce7..47f912cc8d 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -2,7 +2,7 @@ title: Deployment guidelines for Windows Defender Device Guard (Windows 10) description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium author: dansimp @@ -13,13 +13,12 @@ ms.topic: conceptual ms.date: 10/20/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Baseline protections and additional qualifications for virtualization-based protection of code integrity -**Applies to** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 867aadf0d5..7be719b91a 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -1,7 +1,7 @@ --- title: Federal Information Processing Standard (FIPS) 140 Validation -description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. -ms.prod: w10 +description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. +ms.prod: m365-security audience: ITPro author: dansimp ms.author: dansimp @@ -10,47 +10,55 @@ ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.reviewer: +ms.technology: mde --- # FIPS 140-2 Validation ## FIPS 140-2 standard overview -The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996. +The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. -The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program), a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover eleven areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. +The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. ## Microsoft’s approach to FIPS 140-2 validation -Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since the inception of the standard in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules. +Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules. ## Using Windows in a FIPS 140-2 approved mode of operation -Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.”  When this mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows cryptographic operations are run. These self-tests are run in accordance with FIPS 140-2 Section 4.9 and are utilized to ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by this mode of operation. The FIPS 140-2 approved mode of operation will not prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. For applications or components beyond the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library, FIPS mode is merely advisory. +Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode."  If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly. -While US government regulations continue to mandate that FIPS mode be enabled on government computers running Windows, our recommendation is that it is each customer’s decision to make when considering enabling FIPS mode. There are many applications and protocols that look to the FIPS mode policy to determine which cryptographic functionality should be utilized in a given solution. We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.  +The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library. + +US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography. Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below. ### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed -Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. This is accomplished by cross-checking the version number of the cryptographic module with the table of validated modules at the end of this topic, organized by operating system release. +Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. Tables listing validated modules, organized by operating system release, are available later in this article. ### Step 2: Ensure all security policies for all cryptographic modules are followed -Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found by following the links in the table of validated modules at the end of this topic. Click on the module version number to view the published SPD for the module. - +Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found in the table of validated modules at the end of this article. Select the module version number to view the published SPD for the module. + ### Step 3: Enable the FIPS security policy -Windows provides the security policy setting, “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). +Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). -### Step 4: Ensure only FIPS validated cryptographic algorithms are used +### Step 4: Ensure that only FIPS validated cryptographic algorithms are used -Neither the operating system nor the cryptographic modules can enforce a FIPS approved mode of operation, regardless of the FIPS security policy setting. To run in a FIPS approved mode, an application or service must check for the policy flag and enforce the security policies of the validated modules. If an application or service uses a non-approved cryptographic algorithm or does not follow the security policies of the validated modules, it is not operating in a FIPS approved mode. +FIPS mode is enforced at the level of the application or service. It is not enforced by the operating system or by individual cryptographic modules. Applications or services running in FIPS mode must follow the security policies of validated modules. They must not use a cryptographic algorithm that isn't FIPS-compliant. + +In short, an application or service is running in FIPS mode if it: + +* Checks for the policy flag +* Enforces security policies of validated modules ## Frequently asked questions -### How long does it take to certify cryptographic modules? +### How long does it take to certify a cryptographic module? Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors. @@ -58,29 +66,29 @@ Microsoft begins certification of cryptographic modules after each major feature The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server. As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules. -### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”? +### What is the difference between *FIPS 140 validated* and *FIPS 140 compliant*? -“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. +*FIPS 140 validated* means that the cryptographic module, or a product that embeds the module, has been validated ("certified") by the CMVP as meeting the FIPS 140-2 requirements. *FIPS 140 compliant* is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. -### I need to know if a Windows service or application is FIPS 140-2 validated. +### How do I know if a Windows service or application is FIPS 140-2 validated? -The cryptographic modules leveraged in Windows are validated through the CMVP, not individual services, applications, hardware peripherals, or other solutions. For a solution to be considered compliant, it must call a FIPS 140-2 validated cryptographic module in the underlying OS and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module. +The cryptographic modules used in Windows are validated through the CMVP. They aren't validated by individual services, applications, hardware peripherals, or other solutions. Any compliant solution must call a FIPS 140-2 validated cryptographic module in the underlying OS, and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module. -### What does "When operated in FIPS mode" mean on a certificate? +### What does *When operated in FIPS mode* mean on a certificate? -This caveat identifies required configuration and security rules that must be followed to use the cryptographic module in a way that is consistent with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module. +This label means that certain configuration and security rules must be followed to use the cryptographic module in compliance with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module. ### What is the relationship between FIPS 140-2 and Common Criteria? -These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly. +FIPS 140-2 and Common Criteria are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules. Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly. ### How does FIPS 140 relate to Suite B? -Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard. +Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS approved cryptographic algorithms allowed by the FIPS 140-2 standard. ### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows? -When Windows is configured to operate in FIPS 140 approved mode on both client and server, SMB3 is FIPS 140 compliant and relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.  +SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server. In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations. ## Microsoft FIPS 140-2 validated cryptographic modules @@ -314,7 +322,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.15063 #3095 -

FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+

FIPS approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)

Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

@@ -324,7 +332,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile 10.0.15063 #3094

#3094

-

FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+

FIPS approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)

Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

@@ -333,40 +341,40 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile Boot Manager 10.0.15063 #3089 -

FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

Windows OS Loader 10.0.15063 #3090 -

FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

Other algorithms: NDRNG

Windows Resume[1] 10.0.15063 #3091 -FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790) +FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790) BitLocker® Dump Filter[2] 10.0.15063 #3092 -FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790) +FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790) Code Integrity (ci.dll) 10.0.15063 #3093 -

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

Secure Kernel Code Integrity (skci.dll)[3] 10.0.15063 #3096 -

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

@@ -401,7 +409,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.14393 #2937 -

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+

FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

@@ -410,7 +418,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 #2936 -

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+

FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

@@ -419,14 +427,14 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Boot Manager 10.0.14393 #2931 -

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload) 10.0.14393 #2932 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: NDRNG; MD5 @@ -434,7 +442,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile BitLocker® Windows Resume (winresume)[1] 10.0.14393 #2933 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5 @@ -442,13 +450,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile BitLocker® Dump Filter (dumpfve.sys)[2] 10.0.14393 #2934 -FIPS Approved algorithms: AES (Certs. #4061 and #4064) +FIPS approved algorithms: AES (Certs. #4061 and #4064) Code Integrity (ci.dll) 10.0.14393 #2935 -

FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+

FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: AES (non-compliant); MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

@@ -457,7 +465,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Secure Kernel Code Integrity (skci.dll)[3] 10.0.14393 #2938 -

FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+

FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)

Other algorithms: MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

@@ -494,7 +502,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.10586 #2606 -

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+

FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

@@ -503,7 +511,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10586 #2605 -

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+

FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

@@ -512,7 +520,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Boot Manager[4] 10.0.10586 #2700 -FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+FIPS approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -520,7 +528,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub BitLocker® Windows OS Loader (winload)[5] 10.0.10586 #2701 -FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+FIPS approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)

Other algorithms: MD5; NDRNG @@ -528,7 +536,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub BitLocker® Windows Resume (winresume)[6] 10.0.10586 #2702 -FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+FIPS approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)

Other algorithms: MD5 @@ -536,13 +544,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub BitLocker® Dump Filter (dumpfve.sys)[7] 10.0.10586 #2703 -FIPS Approved algorithms: AES (Certs. #3653) +FIPS approved algorithms: AES (Certs. #3653) Code Integrity (ci.dll) 10.0.10586 #2604 -

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+

FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)

Other algorithms: AES (non-compliant); MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

@@ -551,7 +559,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Secure Kernel Code Integrity (skci.dll)[8] 10.0.10586 #2607 -

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+

FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)

Other algorithms: MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

@@ -592,7 +600,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.10240 #2606 -

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+

FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

@@ -601,7 +609,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10240 #2605 -

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+

FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

@@ -610,7 +618,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Boot Manager[9] 10.0.10240 #2600 -FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+FIPS approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -618,7 +626,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface BitLocker® Windows OS Loader (winload)[10] 10.0.10240 #2601 -FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)

Other algorithms: MD5; NDRNG @@ -626,7 +634,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface BitLocker® Windows Resume (winresume)[11] 10.0.10240 #2602 -FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)

Other algorithms: MD5 @@ -634,13 +642,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface BitLocker® Dump Filter (dumpfve.sys)[12] 10.0.10240 #2603 -FIPS Approved algorithms: AES (Certs. #3497 and #3498) +FIPS approved algorithms: AES (Certs. #3497 and #3498) Code Integrity (ci.dll) 10.0.10240 #2604 -

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+

FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)

Other algorithms: AES (non-compliant); MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

@@ -649,7 +657,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Secure Kernel Code Integrity (skci.dll)[13] 10.0.10240 #2607 -

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+

FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)

Other algorithms: MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

@@ -658,13 +666,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface -\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB +\[9\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB -\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB +\[10\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB -\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB +\[11\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB -\[12\] Applies only to Pro, Enterprise and Enterprise LTSB +\[12\] Applies only to Pro, Enterprise, and Enterprise LTSB \[13\] Applies only to Enterprise and Enterprise LTSB @@ -690,25 +698,25 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 6.3.9600 6.3.9600.17031 #2357 -

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+

FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 #2356 -

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+

FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

Boot Manager 6.3.9600 6.3.9600.17031 #2351 -FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -716,7 +724,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded BitLocker® Windows OS Loader (winload) 6.3.9600 6.3.9600.17031 #2352 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)

Other algorithms: MD5; NDRNG @@ -724,7 +732,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded BitLocker® Windows Resume (winresume)[14] 6.3.9600 6.3.9600.17031 #2353 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5 @@ -732,7 +740,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded BitLocker® Dump Filter (dumpfve.sys) 6.3.9600 6.3.9600.17031 #2354 -FIPS Approved algorithms: AES (Cert. #2832)
+FIPS approved algorithms: AES (Cert. #2832)

Other algorithms: N/A @@ -740,7 +748,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 #2355#2355 -

FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+

FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)

Other algorithms: MD5

Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

@@ -767,9 +775,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) 6.2.9200 #1892 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

@@ -777,17 +785,17 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 #1891 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) Boot Manager 6.2.9200 #1895 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -795,7 +803,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone BitLocker® Windows OS Loader (WINLOAD) 6.2.9200 #1896 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG @@ -803,7 +811,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone BitLocker® Windows Resume (WINRESUME)[15] 6.2.9200 #1898 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -811,7 +819,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone BitLocker® Dump Filter (DUMPFVE.SYS) 6.2.9200 #1899 -FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+FIPS approved algorithms: AES (Certs. #2196 and #2198)

Other algorithms: N/A @@ -819,7 +827,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Code Integrity (CI.DLL) 6.2.9200 #1897 -FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -827,19 +835,19 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) 6.2.9200 #1893 -FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)

-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Cert., vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)

-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert., key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Enhanced Cryptographic Provider (RSAENH.DLL) 6.2.9200 #1894 -FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)

-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -870,11 +878,11 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7600.16385

6.1.7601.17514

1329 -FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)

-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 Kernel Mode Cryptographic Primitives Library (cng.sys) @@ -887,16 +895,16 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.21861

6.1.7601.22076

1328 -FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)

-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 Boot Manager

6.1.7600.16385

6.1.7601.17514

1319 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)

Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)

@@ -913,7 +921,7 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.21655

6.1.7601.21675

1326 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)

Other algorithms: MD5 @@ -932,7 +940,7 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.21655

6.1.7601.21675

1332 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)

Other algorithms: Elephant Diffuser @@ -945,7 +953,7 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.17950

6.1.7601.22108

1327 -FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)

Other algorithms: MD5 @@ -954,7 +962,7 @@ Validated Editions: Windows 7, Windows 7 SP1 6.1.7600.16385
(no change in SP1) 1331 -FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 @@ -963,9 +971,9 @@ Validated Editions: Windows 7, Windows 7 SP1 6.1.7600.16385
(no change in SP1) 1330 -FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -993,13 +1001,13 @@ Validated Editions: Ultimate Edition Boot Manager (bootmgr) 6.0.6001.18000 and 6.0.6002.18005 978 -FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) +FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) Winload OS Loader (winload.exe) 6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596 979 -FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)

Other algorithms: MD5 @@ -1007,37 +1015,37 @@ Validated Editions: Ultimate Edition Code Integrity (ci.dll) 6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005 980 -FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: RSA (Cert. #354); SHS (Cert. #753)

Other algorithms: MD5 Kernel Mode Security Support Provider Interface (ksecdd.sys) -6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 +6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 1000 -

FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Cryptographic Primitives Library (bcrypt.dll) -6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 +6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 1001 -

FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

Enhanced Cryptographic Provider (RSAENH) -6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 +6.0.6001.22202 and 6.0.6002.18005 1002 -

FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) -6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 +6.0.6001.18000 and 6.0.6002.18005 1003 -

FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

-

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

+

FIPS approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

+

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

@@ -1059,23 +1067,23 @@ Validated Editions: Ultimate Edition Enhanced Cryptographic Provider (RSAENH) 6.0.6000.16386 893 -FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+FIPS approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 6.0.6000.16386 894 -FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)

-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 BitLocker™ Drive Encryption 6.0.6000.16386 947 -FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+FIPS approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)

Other algorithms: Elephant Diffuser @@ -1083,9 +1091,9 @@ Validated Editions: Ultimate Edition Kernel Mode Security Support Provider Interface (ksecdd.sys) 6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067 891 -FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)

-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 +Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 @@ -1111,22 +1119,22 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module (FIPS.SYS) 5.1.2600.5512 997 -

FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

+

FIPS approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

Other algorithms: DES; MD5; HMAC MD5

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.1.2600.5507 990 -

FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

+

FIPS approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

Enhanced Cryptographic Provider (RSAENH) 5.1.2600.5507 989 -

FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

-

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

+

FIPS approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

+

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits)

@@ -1152,14 +1160,14 @@ Validated Editions: Ultimate Edition DSS/Diffie-Hellman Enhanced Cryptographic Provider 5.1.2600.2133 240 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

Microsoft Enhanced Cryptographic Provider 5.1.2600.2161 238 -

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

@@ -1186,7 +1194,7 @@ Validated Editions: Ultimate Edition Microsoft Enhanced Cryptographic Provider 5.1.2600.1029 238 -

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

@@ -1213,7 +1221,7 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module 5.1.2600.0 241 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

Other algorithms: DES (Cert. #89)

@@ -1240,7 +1248,7 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module (FIPS.SYS) 5.0.2195.1569 106 -

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

Other algorithms: DES (Certs. #89)

@@ -1250,7 +1258,7 @@ Validated Editions: Ultimate Edition

(DSS/DH Enh: 5.0.2195.3665 [SP3])

(Enh: 5.0.2195.3839 [SP3]

103 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

@@ -1277,7 +1285,7 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module (FIPS.SYS) 5.0.2195.1569 106 -

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

Other algorithms: DES (Certs. #89)

@@ -1291,7 +1299,7 @@ Validated Editions: Ultimate Edition

(Enh:

5.0.2195.2228 [SP2])

103 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

@@ -1321,7 +1329,7 @@ Validated Editions: Ultimate Edition

(DSS/DH Enh: 5.0.2150.1391 [SP1])

(Enh: 5.0.2150.1391 [SP1])

103 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

@@ -1348,7 +1356,7 @@ Validated Editions: Ultimate Edition Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider 5.0.2150.1 76 -

FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

@@ -1375,7 +1383,7 @@ Validated Editions: Ultimate Edition Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider 5.0.1877.6 and 5.0.1877.7 75 -

FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

+

FIPS approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

@@ -1396,7 +1404,7 @@ Validated Editions: Ultimate Edition Base Cryptographic Provider 5.0.1877.6 and 5.0.1877.7 68 -FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+FIPS approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)

Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) @@ -1631,7 +1639,7 @@ Validated Editions: Standard, Datacenter, Storage Server Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.14393 2937 -FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) @@ -1639,7 +1647,7 @@ Validated Editions: Standard, Datacenter, Storage Server Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 2936 -FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) @@ -1647,14 +1655,14 @@ Validated Editions: Standard, Datacenter, Storage Server Boot Manager 10.0.14393 2931 -

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload) 10.0.14393 2932 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: NDRNG; MD5 @@ -1662,7 +1670,7 @@ Validated Editions: Standard, Datacenter, Storage Server BitLocker® Windows Resume (winresume) 10.0.14393 2933 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5 @@ -1670,13 +1678,13 @@ Validated Editions: Standard, Datacenter, Storage Server BitLocker® Dump Filter (dumpfve.sys) 10.0.14393 2934 -FIPS Approved algorithms: AES (Certs. #4061 and #4064) +FIPS approved algorithms: AES (Certs. #4061 and #4064) Code Integrity (ci.dll) 10.0.14393 2935 -FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: AES (non-compliant); MD5 @@ -1684,7 +1692,7 @@ Validated Editions: Standard, Datacenter, Storage Server Secure Kernel Code Integrity (skci.dll) 10.0.14393 2938 -FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)

Other algorithms: MD5 @@ -1710,23 +1718,23 @@ Validated Editions: Server, Storage Server, Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 6.3.9600 6.3.9600.17031 2357 -FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 2356 -FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) Boot Manager 6.3.9600 6.3.9600.17031 2351 -FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -1734,7 +1742,7 @@ Validated Editions: Server, Storage Server, BitLocker® Windows OS Loader (winload) 6.3.9600 6.3.9600.17031 2352 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)

Other algorithms: MD5; NDRNG @@ -1742,7 +1750,7 @@ Validated Editions: Server, Storage Server, BitLocker® Windows Resume (winresume)[16] 6.3.9600 6.3.9600.17031 2353 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5 @@ -1750,7 +1758,7 @@ Validated Editions: Server, Storage Server, BitLocker® Dump Filter (dumpfve.sys)[17] 6.3.9600 6.3.9600.17031 2354 -FIPS Approved algorithms: AES (Cert. #2832)
+FIPS approved algorithms: AES (Cert. #2832)

Other algorithms: N/A @@ -1758,7 +1766,7 @@ Validated Editions: Server, Storage Server, Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 2355 -FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)

Other algorithms: MD5 @@ -1766,9 +1774,9 @@ Validated Editions: Server, Storage Server, -\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** +\[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** -\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** +\[17\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** **Windows Server 2012** @@ -1786,27 +1794,27 @@ Validated Editions: Server, Storage Server Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) 6.2.9200 1892 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 1891 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) Boot Manager 6.2.9200 1895 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -1814,7 +1822,7 @@ Validated Editions: Server, Storage Server BitLocker® Windows OS Loader (WINLOAD) 6.2.9200 1896 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG @@ -1822,7 +1830,7 @@ Validated Editions: Server, Storage Server BitLocker® Windows Resume (WINRESUME) 6.2.9200 1898 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -1830,7 +1838,7 @@ Validated Editions: Server, Storage Server BitLocker® Dump Filter (DUMPFVE.SYS) 6.2.9200 1899 -FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+FIPS approved algorithms: AES (Certs. #2196 and #2198)

Other algorithms: N/A @@ -1838,7 +1846,7 @@ Validated Editions: Server, Storage Server Code Integrity (CI.DLL) 6.2.9200 1897 -FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -1846,7 +1854,7 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) 6.2.9200 1893 -FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -1854,9 +1862,9 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider (RSAENH.DLL) 6.2.9200 1894 -FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)

-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -1874,65 +1882,65 @@ Validated Editions: Server, Storage Server Boot Manager (bootmgr) -6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514 +6.1.7600.16385 or 6.1.7601.17514 1321 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)

Other algorithms: MD5 Winload OS Loader (winload.exe) -6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 +6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 1333 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)

Other algorithms: MD5 Code Integrity (ci.dll) -6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 +6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 1334 -FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)

Other algorithms: MD5 Kernel Mode Cryptographic Primitives Library (cng.sys) -6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 +6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 1335 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)

--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 +-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 Cryptographic Primitives Library (bcryptprimitives.dll) -66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514 +66.1.7600.16385 or 6.1.7601.17514 1336 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)

-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 Enhanced Cryptographic Provider (RSAENH) 6.1.7600.16385 1337 -FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 6.1.7600.16385 1338 -FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 BitLocker™ Drive Encryption -6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 +6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 1339 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)

Other algorithms: Elephant Diffuser @@ -1952,61 +1960,61 @@ Validated Editions: Server, Storage Server Boot Manager (bootmgr) -6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 +6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 1004 -FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)

Other algorithms: N/A Winload OS Loader (winload.exe) -6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 +6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 1005 -FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)

Other algorithms: MD5 Code Integrity (ci.dll) -6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 +6.0.6001.18000 and 6.0.6002.18005 1006 -FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: RSA (Cert. #355); SHS (Cert. #753)

Other algorithms: MD5 Kernel Mode Security Support Provider Interface (ksecdd.sys) -6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 +6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 1007 -FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Cryptographic Primitives Library (bcrypt.dll) -6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 +6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 1008 -FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) -6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 +6.0.6001.18000 and 6.0.6002.18005 1009 -FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 +-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 Enhanced Cryptographic Provider (RSAENH) -6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 +6.0.6001.22202 and 6.0.6002.18005 1010 -FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -2032,22 +2040,22 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.2.3790.3959 875 -

FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

+

FIPS approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

Kernel Mode Cryptographic Module (FIPS.SYS) 5.2.3790.3959 869 -

FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

+

FIPS approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

Other algorithms: DES; HMAC-MD5

Enhanced Cryptographic Provider (RSAENH) 5.2.3790.3959 868 -

FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

-

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

+

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

@@ -2073,7 +2081,7 @@ Validated Editions: Server, Storage Server Kernel Mode Cryptographic Module (FIPS.SYS) 5.2.3790.1830 [SP1] 405 -

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

[1] x86
[2] SP1 x86, x64, IA64

@@ -2082,7 +2090,7 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider (RSAENH) 5.2.3790.1830 [Service Pack 1]) 382 -

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

[1] x86
[2] SP1 x86, x64, IA64

@@ -2091,7 +2099,7 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.2.3790.1830 [Service Pack 1] 381 -

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

[1] x86
[2] SP1 x86, x64, IA64

@@ -2120,7 +2128,7 @@ Validated Editions: Server, Storage Server Kernel Mode Cryptographic Module (FIPS.SYS) 5.2.3790.0 405 -

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

[1] x86
[2] SP1 x86, x64, IA64

@@ -2129,7 +2137,7 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider (RSAENH) 5.2.3790.0 382 -

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

[1] x86
[2] SP1 x86, x64, IA64

@@ -2138,7 +2146,7 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.2.3790.0 381 -

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

[1] x86
[2] SP1 x86, x64, IA64

@@ -2169,15 +2177,15 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider 7.00.2872 [1] and 8.00.6246 [2] 2957 -

FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

-

Allowed algorithms: HMAC-MD5; MD5; NDRNG

+

FIPS approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

+

Allowed algorithms: HMAC-MD5, MD5, NDRNG

Cryptographic Primitives Library (bcrypt.dll) 7.00.2872 [1] and 8.00.6246 [2] 2956 -

FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

-

Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

+

FIPS approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

+

Allowed algorithms: MD5, NDRNG, RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength

@@ -2204,7 +2212,7 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider 6.00.1937 [1] and 7.00.1687 [2] 825 -

FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

+

FIPS approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

@@ -2229,9 +2237,9 @@ Validated Editions: Server, Storage Server Outlook Cryptographic Provider (EXCHCSP) -SR-1A (3821)SR-1A (3821) +SR-1A (3821) 110 -

FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

@@ -2320,7 +2328,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
    • @@ -2393,7 +2401,7 @@ The following tables are organized by cryptographic algorithms with their modes,
    • Key Lengths: 128, 192, 256 (bits)
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
    • 96 bit IV supported
  • AES-XTS:
    • @@ -2426,7 +2434,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
    • @@ -2499,7 +2507,7 @@ The following tables are organized by cryptographic algorithms with their modes,
    • Key Lengths: 128, 192, 256 (bits)
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
    • 96 bit IV supported
  • AES-XTS:
    • @@ -2532,7 +2540,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
    • @@ -2606,7 +2614,7 @@ The following tables are organized by cryptographic algorithms with their modes,
    • Key Lengths: 128, 192, 256 (bits)
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
    • 96 bit IV supported
  • AES-XTS:
    • @@ -2634,7 +2642,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4902

    +

    AES validation number 4902

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

    Version 10.0.15063.674

    @@ -2646,7 +2654,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

    Version 10.0.15254

    @@ -2658,7 +2666,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4897

    +

    AES validation number 4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    Version 10.0.16299

    @@ -2669,9 +2677,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4902

    +

    AES validation number 4902

    Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

    Version 10.0.15063.674

    @@ -2682,9 +2690,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

    Version 10.0.15254

    @@ -2695,9 +2703,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4897

    +

    AES validation number 4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    Version 10.0.16299

    @@ -2711,13 +2719,13 @@ The following tables are organized by cryptographic algorithms with their modes,

    KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    -

    AES Val#4624

    +

    AES validation number 4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    Version 10.0.15063

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#4624

    +

    AES validation number 4624

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    Version 10.0.15063

    @@ -2732,8 +2740,8 @@ The following tables are organized by cryptographic algorithms with their modes,

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    -

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); AAD Lengths tested: (0, 1024, 8, 1016); 96BitIV_Supported

    -

    GMAC_Supported

    +

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported

    +

    GMAC supported

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    Version 10.0.15063

    @@ -2778,8 +2786,8 @@ The following tables are organized by cryptographic algorithms with their modes,

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    Version 10.0.14393

    @@ -2794,25 +2802,25 @@ Version 10.0.14393

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

    -

    AES Val#4064

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    Version 10.0.14393

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#4064

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    Version 10.0.14393

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    -

    AES Val#3629

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    Version 10.0.10586

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#3629

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    Version 10.0.10586

    @@ -2830,8 +2838,8 @@ Version 10.0.10586

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f))

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

    @@ -2840,13 +2848,13 @@ GMAC_Supported

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    -

    AES Val#3497

    +

    AES validation number 3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    Version 10.0.10240

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#3497

    +

    AES validation number 3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    Version 10.0.10240

    @@ -2856,8 +2864,8 @@ GMAC_Supported

    CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported
    +GMAC supported

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    Version 10.0.10240 @@ -2880,8 +2888,8 @@ Version 10.0.10240

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#2832

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    +

    AES validation number 2832

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848

    Version 6.3.9600

    @@ -2889,26 +2897,26 @@ Version 10.0.10240

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    -

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); AAD Lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96BitIV_Supported;
    +

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;
    OtherIVLen_Supported
    -GMAC_Supported

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    +GMAC supported

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    Version 6.3.9600

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    -AES Val#2197

    +AES validation number 2197

    CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    -AES Val#2197

    +AES validation number 2197

    GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); AAD Lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
    +GMAC supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 -

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#2196

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 2196

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 @@ -2927,14 +2935,14 @@ GMAC_Supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 -CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    -AES Val#1168 +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    +AES validation number 1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    -CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    -AES Val#1168 +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
    +AES validation number 1168 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 @@ -2950,11 +2958,11 @@ AES #1168, vendor-affirmed -CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 -CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    Windows Server 2008 CNG algorithms #757

    Windows Vista Ultimate SP1 CNG algorithms #756

    @@ -2995,7 +3003,7 @@ AES -CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4627)] +CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    Version 10.0.15063

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4624)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    Version 10.0.15063

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4434)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    Version 7.00.2872

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4433)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    Version 8.00.6246

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4431)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    Version 7.00.2872

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4430)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    Version 8.00.6246

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4074)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    Version 10.0.14393

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4064)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    Version 10.0.14393

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3629)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    Version 10.0.10586

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3497)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    Version 10.0.10240

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2832)] -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)] +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    Version 6.3.9600

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2197)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#2023)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#1168)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 @@ -3280,26 +3288,26 @@ Deterministic Random Bit Generator (DRBG)

    PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]

    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    KeyPairGen:   [(2048,256); (3072,256)]

    -

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]

    +

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val#3790

    -

    DRBG: Val# 1555

    +

    SHS: validation number 3790

    +

    DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    Version 10.0.15063

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    -SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    -SHS: Val# 3649 +PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    Version 7.00.2872

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    -SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    -SHS: Val#3648 +PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    Version 8.00.6246

    @@ -3310,20 +3318,20 @@ PQG(gen)PARMS TESTED: [
    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    KeyPairGen:    [(2048,256); (3072,256)]
    SIG(gen)PARMS TESTED:   [(2048,256)
    -SHA(256); (3072,256) SHA(256); ]
    +SHA(256); (3072,256) SHA(256)]
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    Version 10.0.14393

    FIPS186-4:
    PQG(gen)    PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    -KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val# 3047
    -DRBG: Val# 955

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    Version 10.0.10586

    @@ -3332,9 +3340,9 @@ DRBG: Val# 2886
    -DRBG: Val# 868

    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    Version 10.0.10240

    @@ -3345,11 +3353,11 @@ PQG(gen)PARMS TESTED:   [
    PQG(ver)PARMS TESTED:   [(2048,256)
    SHA(256); (3072,256) SHA(256)]
    KeyPairGen:    [(2048,256); (3072,256)]
    -SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val# 2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    Version 6.3.9600

    @@ -3361,11 +3369,11 @@ DRBG: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 @@ -3374,75 +3382,75 @@ PQG(ver) MOD(1024);
    SIG(ver) MOD(1024);
    SHS: #1902
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 645. Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 391. See Historical DSA List validation number 386.

    Windows Server 2008 R2 and SP1 CNG algorithms #391

    Windows 7 Ultimate and SP1 CNG algorithms #386

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -RNG: Val# 649
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. +SHS: validation number 1081
    +RNG: validation number 649
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 390. See Historical DSA List validation number 385.

    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 284. See Historical DSA List validation number 283.

    Windows Server 2008 CNG algorithms #284

    Windows Vista Ultimate SP1 CNG algorithms #283

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -RNG: Val# 435
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. +SHS: validation number 753
    +RNG: validation number 435
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 282. See Historical DSA List validation number 281.

    Windows Server 2008 Enhanced DSS (DSSENH) #282

    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 227. See Historical DSA List validation number 226.

    Windows Vista CNG algorithms #227

    Windows Vista Enhanced DSS (DSSENH) #226

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 784
    -RNG: Val# 448
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. +SHS: validation number 784
    +RNG: validation number 448
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 292. Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 783
    -RNG: Val# 447
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. +SHS: validation number 783
    +RNG: validation number 447
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 291. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 @@ -3452,8 +3460,8 @@ PQG(gen) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 611
    -RNG: Val# 314 +SHS: validation number 611
    +RNG: validation number 314 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 @@ -3463,7 +3471,7 @@ PQG(gen) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 385 +SHS: validation number 385 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 @@ -3472,7 +3480,7 @@ PQG(ver) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 181
    +SHS: validation number 181

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 @@ -3548,7 +3556,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #2373, DRBG #489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    Version 6.3.9600

    @@ -3794,8 +3802,8 @@ SHS: SHA-1 (BYTE)

    FIPS186-4:
    PKG: CURVES    (P-256 P-384 TestingCandidates)
    -SHS: Val#3790
    -DRBG: Val# 1555 +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    Version 10.0.15063

    @@ -3805,8 +3813,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    -SHS: Val#3790
    -DRBG: Val# 1555 +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    Version 10.0.15063

    @@ -3816,8 +3824,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    -SHS: Val#3790
    -DRBG: Val# 1555 +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    Version 10.0.15063

    @@ -3827,8 +3835,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    -SHS:Val# 3649
    -DRBG:Val# 1430 +SHS:validation number 3649
    +DRBG:validation number 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    Version 7.00.2872

    @@ -3838,8 +3846,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    -SHS:Val#3648
    -DRBG:Val# 1429 +SHS:validation number 3648
    +DRBG:validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    Version 8.00.6246

    @@ -3849,8 +3857,8 @@ PKG: CURVES(P-256 P-384 TestingCandidates)
    PKV: CURVES(P-256 P-384)
    SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))

    -

    SHS: Val# 3347
    -DRBG: Val# 1222

    +

    SHS: validation number 3347
    +DRBG: validation number 1222

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    Version 10.0.14393

    @@ -3860,8 +3868,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    Version 10.0.14393

    @@ -3870,8 +3878,8 @@ DRBG: Val# 3047
    -DRBG: Val# 955

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    Version 10.0.10586

    @@ -3880,8 +3888,8 @@ DRBG: Val# 2886
    -DRBG: Val# 868

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    Version 10.0.10240

    @@ -3890,9 +3898,9 @@ DRBG: Val#2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    Version 6.3.9600

    @@ -3900,7 +3908,7 @@ DRBG: #1903
    DRBG: #258
    -SIG(ver):CURVES(P-256 P-384 P-521)
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: #1903
    DRBG: #258

    FIPS186-4:
    @@ -3909,57 +3917,57 @@ PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

    FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#1773
    -DRBG: Val# 193
    +SHS: validation number 1773
    +DRBG: validation number 193
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#1773
    -DRBG: Val# 193

    +SHS: validation number 1773
    +DRBG: validation number 193

    FIPS186-4:
    PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    -SHS: Val#1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#1081
    -DRBG: Val# 23
    +SHS: validation number 1081
    +DRBG: validation number 23
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 142. See Historical ECDSA List validation number 141.

    Windows Server 2008 R2 and SP1 CNG algorithms #142

    Windows 7 Ultimate and SP1 CNG algorithms #141

    FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#753
    +SHS: validation number 753
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 83. See Historical ECDSA List validation number 82.

    Windows Server 2008 CNG algorithms #83

    Windows Vista Ultimate SP1 CNG algorithms #82

    FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#618
    -RNG: Val# 321
    +SHS: validation number 618
    +RNG: validation number 321
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 60. Windows Vista CNG algorithms #60 @@ -4122,111 +4130,111 @@ Some of the previously validated components for this validation have been remove

    Version 10.0.16299

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    Version 10.0.15063

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    Version 10.0.15063

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3652

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3652

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3652

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3652

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3651

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3651

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3651

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3651

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3649

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3649

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3649

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal# 3649

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3648

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3648

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3648

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3648

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    Version 8.00.6246

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHS Val# 3347

    +SHS validation number 3347

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3347

    +SHS validation number 3347

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3347

    +SHS validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3347

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    Version 10.0.14393

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    Version 10.0.10586

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHSVal# 2886

    +SHSvalidation number 2886

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHSVal# 2886

    +SHSvalidation number 2886

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    - SHSVal# 2886

    + SHSvalidation number 2886

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    -SHSVal# 2886

    +SHSvalidation number 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    Version 10.0.10240

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHS Val#2373

    +SHS validation number 2373

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHS Val#2373

    +SHS validation number 2373

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    -SHS Val#2373

    +SHS validation number 2373

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    -SHS Val#2373

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    +SHS validation number 2373

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    Version 6.3.9600

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#2764

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#2764

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#2764

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#2764

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    Version 5.2.29344

    @@ -4254,133 +4262,133 @@ SHS 1345 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1773

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1773

    -

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1773

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1774

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1774

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1774

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1774

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1081

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1081

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1081

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1081

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    Windows 7 and SP1 CNG algorithms #677

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#1081

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 1081

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#816

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#816

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#816

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#816

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 753

    Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS Val#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS validation number 753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSVal#618

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#785 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#783

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#783

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#783

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#783

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#613

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#613

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#613

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#613

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#610 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    Windows Server 2008 CNG algorithms #413

    Windows Vista Ultimate SP1 CNG algorithms #412

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#737

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 737

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 737

    Windows Vista Ultimate BitLocker Drive Encryption #386 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista CNG algorithms #298 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#589

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSVal#589

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#589

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#589

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSvalidation number 589

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#578

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#578

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#578

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#578

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#495

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 495

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 495

    Windows Vista BitLocker Drive Encryption #199 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#364 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#305

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#305

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#305

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#305

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 @@ -4500,7 +4508,7 @@ SHS -
  • One Pass DH:
    • +
  • One-Pass DH:
    • Key Agreement Roles: Initiator, Responder
    • Parameter Sets:
      • @@ -4802,7 +4810,7 @@ SHS

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) SCHEMES [FullUnified (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC)]

      -

      SHS Val#3790
      -DSA Val#1135
      -DRBG Val#1556

      +

      SHS validation number 3790
      +DSA validation number 1135
      +DRBG validation number 1556

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

      Version 10.0.15063

      @@ -4932,16 +4940,16 @@ DRBG Val#3790
      -DSA Val#1223
      -DRBG Val#1555

      +SHS validation number 3790
      +DSA validation number 1223
      +DRBG validation number 1555

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

      -SHS Val#3790
      -ECDSA Val#1133
      -DRBG Val#1555

      +SHS validation number 3790
      +ECDSA validation number 1133
      +DRBG validation number 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

      Version 10.0.15063

      @@ -4949,9 +4957,9 @@ DRBG Val# 3649
      -DSA Val#1188
      -DRBG Val#1430

      +SHS validation number 3649
      +DSA validation number 1188
      +DRBG validation number 1430

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

      @@ -4963,23 +4971,23 @@ DRBG Val#3648
      -DSA Val#1187
      -DRBG Val#1429

      +SHS validation number 3648
      +DSA validation number 1187
      +DRBG validation number 1429

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

      -SHS Val#3648
      -ECDSA Val#1072
      -DRBG Val#1429

      +SHS validation number 3648
      +ECDSA validation number 1072
      +DRBG validation number 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

      Version 8.00.6246

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)
      SCHEMES  [FullUnified  (No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC)]

      -

      SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

      +

      SHS validation number 3347 ECDSA validation number 920 DRBG validation number 1222

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

      Version 10.0.14393

      @@ -4988,11 +4996,11 @@ DRBG Val# 3347 DSA Val#1098 DRBG Val#1217

      +

      SHS validation number 3347 DSA validation number 1098 DRBG validation number 1217

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

      +

      SHS validation number 3347 DSA validation number 1098 ECDSA validation number 911 DRBG validation number 1217 HMAC validation number 2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

      Version 10.0.14393

      @@ -5000,11 +5008,11 @@ DRBG Val# 3047 DSA Val#1024 DRBG Val#955

      +

      SHS validation number 3047 DSA validation number 1024 DRBG validation number 955

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val# 3047 ECDSA Val#760 DRBG Val#955

      +

      SHS validation number 3047 ECDSA validation number 760 DRBG validation number 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

      Version 10.0.10586

      @@ -5012,11 +5020,11 @@ DRBG Val# 2886 DSA Val#983 DRBG Val#868

      +

      SHS validation number 2886 DSA validation number 983 DRBG validation number 868

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val# 2886 ECDSA Val#706 DRBG Val#868

      +

      SHS validation number 2886 ECDSA validation number 706 DRBG validation number 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

      Version 10.0.10240

      @@ -5024,12 +5032,12 @@ DRBG Val#2373 DSA Val#855 DRBG Val#489

      +

      SHS validation number 2373 DSA validation number 855 DRBG validation number 489

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val#2373 ECDSA Val#505 DRBG Val#489

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

      +

      SHS validation number 2373 ECDSA validation number 505 DRBG validation number 489

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

      Version 6.3.9600

      @@ -5037,18 +5045,18 @@ DRBG #1903 DSA Val#687 DRBG #258

      +SHS #1903 DSA validation number 687 DRBG #258

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH(No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256) (ED: P-384 SHA384) (EE: P-521 (SHA512, HMAC_SHA512)))]
      [StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]

      -SHS #1903 ECDSA Val#341 DRBG #258

      +SHS #1903 ECDSA validation number 341 DRBG #258

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

      KAS (SP 800–56A)

      key agreement

      -

      key establishment methodology provides 80 to 256 bits of encryption strength

      +

      key establishment methodology provides 80 bits to 256 bits of encryption strength

      Windows 7 and SP1, vendor-affirmed

      Windows Server 2008 R2 and SP1, vendor-affirmed

      @@ -5162,55 +5170,55 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF) CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

      -KAS Val#128
      -DRBG Val#1556
      -MAC Val#3062 +KAS validation number 128
      +DRBG validation number 1556
      +MAC validation number 3062

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

      Version 10.0.15063

      CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -KAS Val#127
      -AES Val#4624
      -DRBG Val#1555
      -MAC Val#3061 +KAS validation number 127
      +AES validation number 4624
      +DRBG validation number 1555
      +MAC validation number 3061

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

      Version 10.0.15063

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#93 DRBG Val#1222 MAC Val#2661

      +

      KAS validation number 93 DRBG validation number 1222 MAC validation number 2661

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

      Version 10.0.14393

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

      +

      KAS validation number 92 AES validation number 4064 DRBG validation number 1217 MAC validation number 2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

      Version 10.0.14393

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

      +

      KAS validation number 72 AES validation number 3629 DRBG validation number 955 MAC validation number 2381

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

      Version 10.0.10586

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

      +

      KAS validation number 64 AES validation number 3497 RBG validation number 868 MAC validation number 2233

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

      Version 10.0.10240

      CTR_Mode:  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      DRBG Val#489 MAC Val#1773

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

      +

      DRBG validation number 489 MAC validation number 1773

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

      Version 6.3.9600

      CTR_Mode: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      DRBG #258 HMAC Val#1345

      +

      DRBG #258 HMAC validation number 1345

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 @@ -5855,14 +5863,14 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
      [RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
       Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
      -SHA Val#3790 +SHA validation number 3790

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

      Version 10.0.15063

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3790 +SHA validation number 3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

      Version 10.0.15063

      @@ -5874,8 +5882,8 @@ SHA Val#3790
      -DRBG: Val# 1555 +SHA validation number 3790
      +DRBG: validation number 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

      Version 10.0.15063

      @@ -5887,65 +5895,65 @@ PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      [RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
       Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      -SHA Val#3790 +SHA validation number 3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

      Version 10.0.15063

      FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3652
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652, SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652

      FIPS186-4:
      ALG[ANSIX9.31]       Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
      SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3652

      +SHA validation number 3652

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

      Version 7.00.2872

      FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3651
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651, SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651

      FIPS186-4:
      ALG[ANSIX9.31]       Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
      SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3651

      +SHA validation number 3651

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

      Version 8.00.6246

      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096, SHS: SHA-256Val# 3649, SHA-384Val# 3649, SHA-512Val# 3649
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val# 3649, SHA-256Val# 3649, SHA-384Val# 3649, SHA-512Val# 3649

      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3649, SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val# 3649
      -DRBG: Val# 1430

      +SHA validation number 3649
      +DRBG: validation number 1430

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

      Version 7.00.2872

      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096, SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3648, SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3648
      -DRBG: Val# 1429

      +SHA validation number 3648
      +DRBG: validation number 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

      Version 8.00.6246

      @@ -5955,7 +5963,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
      [RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))

      -

      SHA Val# 3347

      +

      SHA validation number 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

      Version 10.0.14393

      @@ -5963,14 +5971,14 @@ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val# 3347 DRBG: Val# 1217

      +

      SHA validation number 3347 DRBG: validation number 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

      Version 10.0.14393

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#3346

      +

      SHA validation number 3346

      soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

      Version 10.0.14393

      @@ -5978,7 +5986,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val# 3347 DRBG: Val# 1217

      +

      SHA validation number 3347 DRBG: validation number 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

      Version 10.0.14393

      @@ -5986,7 +5994,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      [RSASSA-PSS]: Sig(Gen):       (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val# 3347 DRBG: Val# 1217

      +

      SHA validation number 3347 DRBG: validation number 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

      Version 10.0.14393

      @@ -5994,14 +6002,14 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      186-4KEY(gen)      :  FIPS186-4_Fixed_e (10001);
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val# 3047 DRBG: Val# 955

      +

      SHA validation number 3047 DRBG: validation number 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

      Version 10.0.10586

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#3048

      +

      SHA validation number 3048

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

      Version 10.0.10586

      @@ -6009,7 +6017,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val# 3047

      +

      SHA validation number 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

      Version 10.0.10586

      @@ -6017,7 +6025,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      [RSASSA-PSS]: Sig(Gen)      : (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val# 3047

      +

      SHA validation number 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

      Version 10.0.10586

      @@ -6025,21 +6033,21 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val# 2886 DRBG: Val# 868

      +

      SHA validation number 2886 DRBG: validation number 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

      Version 10.0.10240

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2871

      +

      SHA validation number 2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

      Version 10.0.10240

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2871

      +

      SHA validation number 2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

      Version 10.0.10240

      @@ -6047,7 +6055,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      [RSASSA-PSS]:       Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val# 2886

      +

      SHA validation number 2886

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

      Version 10.0.10240

      @@ -6055,14 +6063,14 @@ Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e;
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val#2373 DRBG: Val# 489

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

      +

      SHA validation number 2373 DRBG: validation number 489

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

      Version 6.3.9600

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2373

      +

      SHA validation number 2373

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

      Version 6.3.9600

      @@ -6070,16 +6078,16 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5      ] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2373

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

      +

      SHA validation number 2373

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

      Version 6.3.9600

      FIPS186-4:
      [RSASSA-PSS]:       Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val#2373

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

      +

      SHA validation number 2373

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

      Version 6.3.9600

      @@ -6089,7 +6097,7 @@ SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 [RSASSA-PSS]: Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512))
      SHA #1903

      -

      Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

      +

      Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134.

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 @@ -6104,166 +6112,166 @@ SHA #258
      ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
      SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1774
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774, SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1052. Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: Val# 193
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 193
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1773, SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1051. Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 568. Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 567. See Historical RSA List validation number 560.

      Windows Server 2008 R2 and SP1 CNG algorithms #567

      Windows 7 and SP1 CNG algorithms #560

      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: Val# 23
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559. Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 557. Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 FIPS186-2:
      ALG[ANSIX9.31]:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 816, SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 395. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#783
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 783
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 783, SHA-384validation number 783, SHA-512validation number 783,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 371. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 358. See Historical RSA List validation number 357.

      Windows Server 2008 CNG algorithms #358

      Windows Vista SP1 CNG algorithms #357

      FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 355. See Historical RSA List validation number 354.

      Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

      Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

      FIPS186-2:
      ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353. Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: Val# 321
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258. Windows Vista RSA key generation implementation #258 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 257. Windows Vista CNG algorithms #257 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 255. Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#613
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613, SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 245. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#589
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589, SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 230. Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#578
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578, SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 222. Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 FIPS186-2:
      ALG[RSASSA-PKCS1_V1_5]:
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#364
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81. Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#305
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305, SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 52. Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

      FIPS186-2:

      -

      – PKCS#1 v1.5, signature generation and verification

      +

      – PKCS#1 v1.5, signature generation, and verification

      – Mod sizes: 1024, 1536, 2048, 3072, 4096

      – SHS: SHA–1/256/384/512

      Windows XP, vendor-affirmed

      @@ -6452,7 +6460,7 @@ Version 6.3.9600 SHA-256 (BYTE-only)
      SHA-384 (BYTE-only)
      SHA-512 (BYTE-only) -Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
      +Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
      Version 6.3.9600 @@ -6638,71 +6646,71 @@ Version 6.3.9600

      Version 10.0.16299

      -TECB(KO 1 e/d,); TCBC(KO 1 e/d,); TCFB8(KO 1 e/d,); TCFB64(KO 1 e/d,) +TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d)

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

      Version 10.0.15063

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

      Version 8.00.6246

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

      Version 8.00.6246

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      CTR (int only)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

      Version 7.00.2872

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

      Version 8.00.6246

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

      Version 10.0.14393

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

      Version 10.0.10586

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

      Version 10.0.10240

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

      Version 6.3.9600

      @@ -6770,7 +6778,7 @@ Version 6.3.9600 -#### SP 800-132 Password Based Key Derivation Function (PBKDF) +#### SP 800-132 Password-Based Key Derivation Function (PBKDF) @@ -6824,7 +6832,7 @@ Version 6.3.9600

      Prerequisite: DRBG #489

      - @@ -6856,7 +6864,7 @@ Version 6.3.9600
    • Modulus Size: 2048 (bits)
      • - @@ -7265,7 +7273,7 @@ Version 10.0.14393

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
      Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
      Version 10.0.10586

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
      Version 6.3.9600

      @@ -7282,7 +7290,7 @@ Version 10.0.15063

      Version 10.0.14393

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
      Version 10.0.14393

      -

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
      +

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
      Version 10.0.10586

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
      Version  10.0.10240

      @@ -7335,10 +7343,7 @@ fips@microsoft.com ## References -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)) +* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf) +* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final) +* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf) diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 81f5a796f3..c6c0883e58 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -2,7 +2,7 @@ title: Get support description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization. keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 ms.reviewer: +ms.technology: mde --- # Get Support @@ -40,7 +41,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. -**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?** +**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?** No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp-1.png differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 4ddfd7b193..58b2c201b8 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,9 +1,9 @@ --- title: Threat Protection (Windows 10) -description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,15 +14,24 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Threat Protection -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). -

      Microsoft Defender ATP

      +

      Microsoft Defender for Endpoint

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

      Version 6.3.9600

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

      +

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

      Version 10.0.15063.674
      @@ -37,7 +46,7 @@ ms.topic: conceptual
      Centralized configuration and administration, APIs
      - +
      threat and vulnerability icon
      Threat & vulnerability management
      Microsoft Threat Protection
      Microsoft 365 Defender

      @@ -73,7 +82,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
      -To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) @@ -98,25 +107,28 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
      -In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) -- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) -- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) +- [Get an overview of automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) +- [Learn about automation levels](microsoft-defender-atp/automation-levels.md) +- [Configure automated investigation and remediation in Defender for Endpoint](microsoft-defender-atp/configure-automated-investigations-remediation.md) +- [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md) +- [Review remediation actions following an automated investigation](microsoft-defender-atp/manage-auto-investigation.md) +- [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md) **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
      -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) -- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) +- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) **[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
      -Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. +Integrate Microsoft Defender for Endpoint into your existing workflows. - [Onboarding](microsoft-defender-atp/onboard-configure.md) - [API and SIEM integration](microsoft-defender-atp/configure-siem.md) - [Exposed APIs](microsoft-defender-atp/apis-intro.md) @@ -125,14 +137,14 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
      - Microsoft Defender ATP directly integrates with various Microsoft solutions, including: + Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: - Intune -- Office 365 ATP -- Azure ATP -- Azure Security Center +- Microsoft Defender for Office 365 +- Microsoft Defender for Identity +- Azure Defender - Skype for Business - Microsoft Cloud App Security -**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
      - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. +**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
      + With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md index 2584ee9200..aa36031971 100644 --- a/windows/security/threat-protection/intelligence/coinminer-malware.md +++ b/windows/security/threat-protection/intelligence/coinminer-malware.md @@ -3,7 +3,7 @@ title: Coin miners ms.reviewer: description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself. keywords: security, malware, coin miners, protection, cryptocurrencies -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Coin miners diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 6a3a933a3f..47e4ffb819 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -3,7 +3,7 @@ title: Coordinated Malware Eradication ms.reviewer: description: The Coordinated Malware Eradication program aims to unite security organizations to disrupt the malware ecosystem. keywords: security, malware, malware eradication, Microsoft Malware Protection Center, MMPC -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,8 +11,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Coordinated Malware Eradication diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 77a3c4e33d..0c75b48120 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -3,7 +3,7 @@ title: How Microsoft identifies malware and potentially unwanted applications ms.reviewer: description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application. keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # How Microsoft identifies malware and potentially unwanted applications @@ -171,7 +172,7 @@ Microsoft uses specific categories and the category definitions to classify soft * **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. -* **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. +* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. * **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies. diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 3cb57c45ef..fec4892d00 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -3,7 +3,7 @@ title: Industry collaboration programs ms.reviewer: description: Microsoft industry-wide antimalware collaboration programs - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) keywords: security, malware, antivirus industry, antimalware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,8 +11,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Industry collaboration programs diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index 06734edb7a..5f91ef4a1f 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -4,7 +4,7 @@ ms.reviewer: description: This page provides answers to common questions we receive from software developers keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Software developer FAQ diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index b413cea906..9c99065431 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -4,7 +4,7 @@ ms.reviewer: description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against Security intelligence. keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection, security intelligence search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -13,8 +13,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Software developer resources diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index c7b63fd5fd..c7a418d55c 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -3,7 +3,7 @@ title: Exploits and exploit kits ms.reviewer: description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware. keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Exploits and exploit kits @@ -37,11 +38,11 @@ Several notable threats, including Wannacry, exploit the Server Message Block (S Examples of exploit kits: -- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle) +- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle) -- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino) +- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK) -- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu) +- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu) To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index a5f4583231..a120169e13 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -1,9 +1,9 @@ --- title: Fileless threats ms.reviewer: -description: Learn about the categories of fileless threats and malware that "live off the land" +description: Learn about the categories of fileless threats and malware that live off the land keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Fileless threats @@ -98,6 +99,6 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md index 1814307aac..819ce7f08a 100644 --- a/windows/security/threat-protection/intelligence/index.md +++ b/windows/security/threat-protection/intelligence/index.md @@ -2,7 +2,7 @@ title: Security intelligence description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs. keywords: security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Security intelligence diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 45dd414624..6faec90f87 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -3,7 +3,7 @@ title: Macro malware ms.reviewer: description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Macro malware diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index d920870809..abd3753a03 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -3,7 +3,7 @@ title: Malware names ms.reviewer: description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware. keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Malware names diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md index dcb01fd998..d8cd025a74 100644 --- a/windows/security/threat-protection/intelligence/phishing-trends.md +++ b/windows/security/threat-protection/intelligence/phishing-trends.md @@ -3,7 +3,7 @@ title: Phishing trends and techniques ms.reviewer: description: Learn about how to spot phishing techniques keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Phishing trends and techniques diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index d70c3f606b..20bf7cc3fd 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -3,7 +3,7 @@ title: How to protect against phishing attacks ms.reviewer: description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # How to protect against phishing attacks @@ -64,7 +65,7 @@ If in doubt, contact the business by known channels to verify if any suspicious * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services. -* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. +* Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. ## What to do if you've been a victim of a phishing scam diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index bd1b4f57e7..e84f8e37a8 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -3,7 +3,7 @@ title: Troubleshoot MSI portal errors caused by admin block description: Troubleshoot MSI portal errors ms.reviewer: keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: dansimp author: dansimp manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Troubleshooting malware submission errors caused by administrator block diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 3313e1d680..45f1877661 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -3,7 +3,7 @@ title: Prevent malware infection ms.reviewer: description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer. keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Prevent malware infection @@ -103,11 +104,11 @@ Microsoft provides comprehensive security capabilities that help protect against * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data. -* [Office 365 Advanced Threat Protection](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. +* [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection. -* [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge. +* [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge. * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account. @@ -117,6 +118,6 @@ Microsoft provides comprehensive security capabilities that help protect against ## What to do with a malware infection -Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. +Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 2936cf36c4..851d1f8c50 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -3,7 +3,7 @@ title: Ransomware ms.reviewer: description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files. keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Ransomware diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index f5ea7e21b2..ab4fa996bd 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -3,7 +3,7 @@ title: Rootkits ms.reviewer: description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove. keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Rootkits diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 96e45bc39b..a9c1588361 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -3,7 +3,7 @@ title: Microsoft Safety Scanner Download ms.reviewer: description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers. keywords: security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Microsoft Safety Scanner diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index 7e771ce477..87667989e4 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -3,7 +3,7 @@ title: Submit files for analysis by Microsoft description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections. ms.reviewer: keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Submit files for analysis diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 7530ec2c2e..fff7e3b7b3 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -3,7 +3,7 @@ title: Supply chain attacks ms.reviewer: description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 5ecbd9a101..0cfb94aa8f 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -3,7 +3,7 @@ title: Tech Support Scams ms.reviewer: description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings. keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Tech support scams diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index 2ed753b049..31228195f8 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -3,7 +3,7 @@ title: Trojan malware ms.reviewer: description: Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them. keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Trojans diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index eb417b74dd..d7d82578fa 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -3,7 +3,7 @@ title: Understanding malware & other threats ms.reviewer: description: Learn about the most prevalent viruses, malware, and other threats. Understand how they infect systems, how they behave, and how to prevent and remove them. keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual search.appverid: met150 +ms.technology: mde --- # Understanding malware & other threats @@ -21,7 +22,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index ab2471f894..31dc9dc196 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -3,7 +3,7 @@ title: Unwanted software ms.reviewer: description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Unwanted software diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index fa58868aa8..a70ae6fe7e 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -3,7 +3,7 @@ title: Virus Information Alliance ms.reviewer: description: The Microsoft Virus Information Alliance (VIA) is a collaborative antimalware program for organizations fighting cybercrime. keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,8 +11,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Virus Information Alliance diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 5f8f3c8139..8512c8d267 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -3,7 +3,7 @@ title: Microsoft Virus Initiative ms.reviewer: description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share telemetry with Microsoft. keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,8 +11,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Virus Initiative diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index ca62c08fd9..99c3fafa1a 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -3,7 +3,7 @@ title: Worms ms.reviewer: description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them. keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Worms diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 59f32f84e6..09dc088c59 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -2,14 +2,14 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. keywords: MBSA, security, removal -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp -author: dulcemontemayor -ms.date: 10/05/2018 +author: dansimp ms.reviewer: manager: dansimp +ms.technology: mde --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md deleted file mode 100644 index 273298bf6c..0000000000 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: What to do with false positives/negatives in Microsoft Defender Antivirus -description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do. -keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 06/08/2020 -ms.reviewer: shwetaj -manager: dansimp -audience: ITPro -ms.topic: article ---- - -# What to do with false positives/negatives in Microsoft Defender Antivirus - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. - -What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can: -- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis) -- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) -- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) - -## Submit a file to Microsoft for analysis - -1. Review the [submission guidelines](../intelligence/submission-guide.md). -2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). - -> [!TIP] -> We recommend signing in at the submission portal so you can track the results of your submissions. - -## Create an "Allow" indicator to prevent a false positive from recurring - -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender for Endpoint) that the item is safe. - -To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). - -## Define an exclusion on an individual Windows device to prevent an item from being scanned - -When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item. - -1. On your Windows 10 device, open the Windows Security app. -2. Select **Virus & threat protection** > **Virus & threat protection settings**. -3. Under **Exclusions**, select **Add or remove exclusions**. -4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**). - -The following table summarizes exclusion types, how they're defined, and what happens when they're in effect. - -|Exclusion type |Defined by |What happens | -|---------|---------|---------| -|**File** |Location
      Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | -|**Folder** |Location
      Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | -|**File type** |File extension
      Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | -|**Process** |Executable file path
      Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | - -To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) - -## Related articles - -[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) - -[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 586598290d..53cc0585bb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -3,7 +3,7 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index b98d9268b6..db2a7a7f8e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -3,7 +3,7 @@ title: Collect diagnostic data of Microsoft Defender Antivirus description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 06/29/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Collect Microsoft Defender AV diagnostic data diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index f6c285389b..04a84573cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -3,16 +3,17 @@ title: Use the command line to manage Microsoft Defender Antivirus description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: ksarens +ms.reviewer: ksarens manager: dansimp ms.date: 08/17/2020 +ms.technology: mde --- # Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index 58cd36777d..3108c5ea6b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Common mistakes to avoid when defining exclusions description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Common mistakes to avoid when defining exclusions @@ -21,136 +22,38 @@ manager: dansimp You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. -This topic describes some common mistake that you should avoid when defining exclusions. +This article describes some common mistake that you should avoid when defining exclusions. Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions). ## Excluding certain trusted items -There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. -**Do not add exclusions for the following folder locations:** +Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. -- %systemdrive% -- C: -- C:\ -- C:\* -- %ProgramFiles%\Java -- C:\Program Files\Java -- %ProgramFiles%\Contoso\ -- C:\Program Files\Contoso\ -- %ProgramFiles(x86)%\Contoso\ -- C:\Program Files (x86)\Contoso\ -- C:\Temp -- C:\Temp\ -- C:\Temp\* -- C:\Users\ -- C:\Users\* -- C:\Users\\AppData\Local\Temp\ -- C:\Users\\AppData\LocalLow\Temp\ -- C:\Users\\AppData\Roaming\Temp\ -- %Windir%\Prefetch -- C:\Windows\Prefetch -- C:\Windows\Prefetch\ -- C:\Windows\Prefetch\* -- %Windir%\System32\Spool -- C:\Windows\System32\Spool -- C:\Windows\System32\CatRoot2 -- %Windir%\Temp -- C:\Windows\Temp -- C:\Windows\Temp\ -- C:\Windows\Temp\* +Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table: -**Do not add exclusions for the following file extensions:** -- .7zip -- .bat -- .bin -- .cab -- .cmd -- .com -- .cpl -- .dll -- .exe -- .fla -- .gif -- .gz -- .hta -- .inf -- .java -- .jar -- .job -- .jpeg -- .jpg -- .js -- .ko -- .ko.gz -- .msi -- .ocx -- .png -- .ps1 -- .py -- .rar -- .reg -- .scr -- .sys -- .tar -- .tmp -- .url -- .vbe -- .vbs -- .wsf -- .zip +| Folder locations | File extensions | Processes | +|:--|:--|:--| +| `%systemdrive%`
      `C:`
      `C:\`
      `C:\*`
      `%ProgramFiles%\Java`
      `C:\Program Files\Java`
      `%ProgramFiles%\Contoso\`
      `C:\Program Files\Contoso\`
      `%ProgramFiles(x86)%\Contoso\`
      `C:\Program Files (x86)\Contoso\`
      `C:\Temp`
      `C:\Temp\`
      `C:\Temp\*`
      `C:\Users\`
      `C:\Users\*`
      `C:\Users\\AppData\Local\Temp\`
      `C:\Users\\AppData\LocalLow\Temp\`
      `C:\Users\\AppData\Roaming\Temp\`
      `%Windir%\Prefetch`
      `C:\Windows\Prefetch`
      `C:\Windows\Prefetch\`
      `C:\Windows\Prefetch\*`
      `%Windir%\System32\Spool`
      `C:\Windows\System32\Spool`
      `C:\Windows\System32\CatRoot2`
      `%Windir%\Temp`
      `C:\Windows\Temp`
      `C:\Windows\Temp\`
      `C:\Windows\Temp\*` | `.7zip`
      `.bat`
      `.bin`
      `.cab`
      `.cmd`
      `.com`
      `.cpl`
      `.dll`
      `.exe`
      `.fla`
      `.gif`
      `.gz`
      `.hta`
      `.inf`
      `.java`
      `.jar`
      `.job`
      `.jpeg`
      `.jpg`
      `.js`
      `.ko`
      `.ko.gz`
      `.msi`
      `.ocx`
      `.png`
      `.ps1`
      `.py`
      `.rar`
      `.reg`
      `.scr`
      `.sys`
      `.tar`
      `.tmp`
      `.url`
      `.vbe`
      `.vbs`
      `.wsf`
      `.zip` | `AcroRd32.exe`
      `bitsadmin.exe`
      `excel.exe`
      `iexplore.exe`
      `java.exe`
      `outlook.exe`
      `psexec.exe`
      `powerpnt.exe`
      `powershell.exe`
      `schtasks.exe`
      `svchost.exe`
      `wmic.exe`
      `winword.exe`
      `wuauclt.exe`
      `addinprocess.exe`
      `addinprocess32.exe`
      `addinutil.exe`
      `bash.exe`
      `bginfo.exe`[1]
      `cdb.exe`
      `csi.exe`
      `dbghost.exe`
      `dbgsvc.exe`
      `dnx.exe`
      `fsi.exe`
      `fsiAnyCpu.exe`
      `kd.exe`
      `ntkd.exe`
      `lxssmanager.dll`
      `msbuild.exe`[2]
      `mshta.exe`
      `ntsd.exe`
      `rcsi.exe`
      `system.management.automation.dll`
      `windbg.exe` | >[!NOTE] -> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. - -**Do not add exclusions for the following processes:** -- AcroRd32.exe -- bitsadmin.exe -- excel.exe -- iexplore.exe -- java.exe -- outlook.exe -- psexec.exe -- powerpnt.exe -- powershell.exe -- schtasks.exe -- svchost.exe -- wmic.exe -- winword.exe -- wuauclt.exe -- addinprocess.exe -- addinprocess32.exe -- addinutil.exe -- bash.exe -- bginfo.exe[1] -- cdb.exe -- csi.exe -- dbghost.exe -- dbgsvc.exe -- dnx.exe -- fsi.exe -- fsiAnyCpu.exe -- kd.exe -- ntkd.exe -- lxssmanager.dll -- msbuild.exe[2] -- mshta.exe -- ntsd.exe -- rcsi.exe -- system.management.automation.dll -- windbg.exe +> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. ## Using just the file name in the exclusion list -A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. + +A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`. ## Using a single exclusion list for multiple server workloads + Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload. ## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists + Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. + See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. -## Related topics +## Related articles - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md index 2a0313ec61..060cddd476 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Manage Windows Defender in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 12/16/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Microsoft Defender Antivirus in your business @@ -27,21 +28,19 @@ manager: dansimp You can manage and configure Microsoft Defender Antivirus with the following tools: -- Microsoft Intune (now part of Microsoft Endpoint Manager) -- Microsoft Endpoint Configuration Manager (now part of Microsoft Endpoint Manager) -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) -- The Microsoft Malware Protection Command Line Utility (referred to as the *mpcmdrun.exe* utility +- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager) +- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) +- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) +- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus) +- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility -The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. +The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. -## In this section - -Article | Description ----|--- -[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus -[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates -[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters -[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) -[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus +| Article | Description | +|:---|:---| +|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus | +|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates | +|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters | +|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) | +|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index 5d559f0d89..7782d63b95 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -4,7 +4,7 @@ description: You can configure Microsoft Defender AV to scan email storage files keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp - +ms.technology: mde --- # Configure Microsoft Defender Antivirus scanning options @@ -29,9 +29,9 @@ manager: dansimp See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -## Use Microsoft Endpoint Configuration Manager to configure scanning options +## Use Microsoft Endpoint Manager to configure scanning options -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch). ## Use Group Policy to configure scanning options diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 43aa53b445..801001d7ef 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable block at first sight to detect malware in seconds description: Turn on the block at first sight feature to detect and block malware within seconds. keywords: scan, BAFS, malware, first seen, first sight, cloud, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high @@ -13,6 +13,7 @@ ms.reviewer: manager: dansimp ms.custom: nextgen ms.date: 10/22/2020 +ms.technology: mde --- # Turn on block at first sight @@ -22,7 +23,7 @@ ms.date: 10/22/2020 **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 4be673460a..fc9ab62d48 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure the Microsoft Defender AV cloud block timeout period description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination. keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure the cloud block timeout period @@ -23,7 +24,7 @@ manager: dansimp **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md index 93e3d5c543..91d207c1bc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure how users can interact with Microsoft Defender AV description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings. keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure end-user interaction with Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index 4d3ba69753..beb6882a8b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -3,16 +3,16 @@ title: Set up exclusions for Microsoft Defender AV scans description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell. keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 03/12/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender Antivirus scans @@ -41,8 +41,11 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru The following is a list of recommendations that you should keep in mind when defining exclusions: - Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc. + - Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process. + - Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate. + - Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 88a2e71534..54c891a786 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure and validate exclusions based on extension, name, or location description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,7 +12,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 10/21/2020 +ms.technology: mde --- # Configure and validate exclusions based on file extension and folder location @@ -29,40 +29,39 @@ ms.date: 10/21/2020 ## Exclusion lists -You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. + +**Note**: Exclusions apply to Potentially Unwanted Apps (PUA) detections as well. > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell. This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the specified extension, anywhere on the machine.
      Valid syntax: `.test` and `test` | Extension exclusions -Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions -A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions -A specific process | The executable file `c:\test\process.exe` | File and folder exclusions +| Exclusion | Examples | Exclusion list | +|:---|:---|:---| +|Any file with a specific extension | All files with the specified extension, anywhere on the machine.
      Valid syntax: `.test` and `test` | Extension exclusions | +|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions | +| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions | +| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions | Exclusion lists have the following characteristics: - Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions apply to any file name with the defined extension if a path or folder is not defined. ->[!IMPORTANT] ->Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. -> ->You cannot exclude mapped network drives. You must specify the actual network path. -> ->Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +> [!IMPORTANT] +> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> - You cannot exclude mapped network drives. You must specify the actual network path. +> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md). ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. +> [!IMPORTANT] +> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). +> Changes made in the Windows Security app **will not show** in the Group Policy lists. By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. @@ -78,39 +77,37 @@ See the following articles: ### Use Configuration Manager to configure file name, folder, or file extension exclusions -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to configure folder or file extension exclusions >[!NOTE] >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. -4. Double-click the **Path Exclusions** setting and add the exclusions. +4. Open the **Path Exclusions** setting for editing, and add your exclusions. - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - Specify each folder on its own line under the **Value name** column. - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. -5. Click **OK**. +5. Choose **OK**. ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) -6. Double-click the **Extension Exclusions** setting and add the exclusions. +6. Open the **Extension Exclusions** setting for editing and add your exclusions. - Set the option to **Enabled**. - - Under the **Options** section, click **Show...**. + - Under the **Options** section, select **Show...**. - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. -7. Click **OK**. - - ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) +7. Choose **OK**. @@ -126,21 +123,21 @@ The format for the cmdlets is as follows: The following are allowed as the ``: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove item from the list | `Remove-MpPreference` +| Configuration action | PowerShell cmdlet | +|:---|:---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove item from the list | `Remove-MpPreference` | The following are allowed as the ``: -Exclusion type | PowerShell parameter ----|--- -All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` +| Exclusion type | PowerShell parameter | +|:---|:---| +| All files with a specified file extension | `-ExclusionExtension` | +| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` | ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. +> [!IMPORTANT] +> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension: @@ -175,29 +172,26 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. ->[!IMPORTANT] ->There are key limitations and usage scenarios for these wildcards: -> ->- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. ->- You cannot use a wildcard in place of a drive letter. ->- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. +> [!IMPORTANT] +> There are key limitations and usage scenarios for these wildcards: +> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +> - You cannot use a wildcard in place of a drive letter. +> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. |Wildcard |Examples | -|---------|---------| +|:---------|:---------| |`*` (asterisk)

      In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

      In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

      `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

      `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | |`?` (question mark)

      In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

      In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`

      `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

      `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables

      The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | ->[!IMPORTANT] ->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. -> ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. -> ->This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. +> [!IMPORTANT] +> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. +> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. @@ -205,273 +199,68 @@ The following table describes how the wildcards can be used and provides some ex The following table lists and describes the system account environment variables. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      System environment variablesWill redirect to:
      %APPDATA%C:\Users\UserName.DomainName\AppData\Roaming
      %APPDATA%\Microsoft\Internet Explorer\Quick LaunchC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
      %APPDATA%\Microsoft\Windows\Start MenuC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
      %APPDATA%\Microsoft\Windows\Start Menu\ProgramsC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
      %LOCALAPPDATA% C:\Windows\System32\config\systemprofile\AppData\Local
      %ProgramData%C:\ProgramData
      %ProgramFiles%C:\Program Files
      %ProgramFiles%\Common Files C:\Program Files\Common Files
      %ProgramFiles%\Windows Sidebar\Gadgets C:\Program Files\Windows Sidebar\Gadgets
      %ProgramFiles%\Common FilesC:\Program Files\Common Files
      %ProgramFiles(x86)% C:\Program Files (x86)
      %ProgramFiles(x86)%\Common Files C:\Program Files (x86)\Common Files
      %SystemDrive%C:
      %SystemDrive%\Program FilesC:\Program Files
      %SystemDrive%\Program Files (x86) C:\Program Files (x86)
      %SystemDrive%\Users C:\Users
      %SystemDrive%\Users\PublicC:\Users\Public
      %SystemRoot% C:\Windows
      %windir%C:\Windows
      %windir%\FontsC:\Windows\Fonts
      %windir%\Resources C:\Windows\Resources
      %windir%\resources\0409C:\Windows\resources\0409
      %windir%\system32C:\Windows\System32
      %ALLUSERSPROFILE%C:\ProgramData
      %ALLUSERSPROFILE%\Application DataC:\ProgramData\Application Data
      %ALLUSERSPROFILE%\DocumentsC:\ProgramData\Documents
      %ALLUSERSPROFILE%\Documents\My Music\Sample Music -

      C:\ProgramData\Documents\My Music\Sample Music

      -

      .

      -
      %ALLUSERSPROFILE%\Documents\My Music C:\ProgramData\Documents\My Music
      %ALLUSERSPROFILE%\Documents\My Pictures -

      C:\ProgramData\Documents\My Pictures -

      -
      %ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures C:\ProgramData\Documents\My Pictures\Sample Pictures
      %ALLUSERSPROFILE%\Documents\My Videos C:\ProgramData\Documents\My Videos
      %ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore C:\ProgramData\Microsoft\Windows\DeviceMetadataStore
      %ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer C:\ProgramData\Microsoft\Windows\GameExplorer
      %ALLUSERSPROFILE%\Microsoft\Windows\Ringtones C:\ProgramData\Microsoft\Windows\Ringtones
      %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu C:\ProgramData\Microsoft\Windows\Start Menu
      %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs C:\ProgramData\Microsoft\Windows\Start Menu\Programs
      %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative ToolsC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
      %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
      %ALLUSERSPROFILE%\Microsoft\Windows\Templates C:\ProgramData\Microsoft\Windows\Templates
      %ALLUSERSPROFILE%\Start Menu C:\ProgramData\Start Menu
      %ALLUSERSPROFILE%\Start Menu\Programs C:\ProgramData\Start Menu\Programs
      %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools C:\ProgramData\Start Menu\Programs\Administrative Tools
      %ALLUSERSPROFILE%\Templates C:\ProgramData\Templates
      %LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates
      %LOCALAPPDATA%\Microsoft\Windows\History C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
      -

      -%PUBLIC%

      -      		C:\Users\Public
      %PUBLIC%\AccountPictures C:\Users\Public\AccountPictures
      %PUBLIC%\Desktop C:\Users\Public\Desktop
      %PUBLIC%\Documents C:\Users\Public\Documents
      %PUBLIC%\Downloads C:\Users\Public\Downloads
      %PUBLIC%\Music\Sample Music -

      C:\Users\Public\Music\Sample Music

      -

      .

      -
      %PUBLIC%\Music\Sample Playlists -

      C:\Users\Public\Music\Sample Playlists

      -

      .

      -
      %PUBLIC%\Pictures\Sample Pictures C:\Users\Public\Pictures\Sample Pictures
      %PUBLIC%\RecordedTV.library-msC:\Users\Public\RecordedTV.library-ms
      %PUBLIC%\VideosC:\Users\Public\Videos
      %PUBLIC%\Videos\Sample Videos -

      C:\Users\Public\Videos\Sample Videos

      -

      .

      -
      %USERPROFILE% C:\Windows\System32\config\systemprofile
      %USERPROFILE%\AppData\Local C:\Windows\System32\config\systemprofile\AppData\Local
      %USERPROFILE%\AppData\LocalLow C:\Windows\System32\config\systemprofile\AppData\LocalLow
      %USERPROFILE%\AppData\Roaming C:\Windows\System32\config\systemprofile\AppData\Roaming
      +| This system environment variable... | Redirects to this | +|:--|:--| +| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` | +| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` | +| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` | +| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` | +| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` | +| `%ProgramData%` | `C:\ProgramData` | +| `%ProgramFiles%` | `C:\Program Files` | +| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` | +| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` | +| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` | +| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` | +| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` | +| `%SystemDrive%` | `C:` | +| `%SystemDrive%\Program Files` | `C:\Program Files` | +| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` | +| `%SystemDrive%\Users` | `C:\Users` | +| `%SystemDrive%\Users\Public` | `C:\Users\Public` | +| `%SystemRoot%` | `C:\Windows` | +| `%windir%` | `C:\Windows` | +| `%windir%\Fonts` | `C:\Windows\Fonts` | +| `%windir%\Resources` | `C:\Windows\Resources` | +| `%windir%\resources\0409` | `C:\Windows\resources\0409` | +| `%windir%\system32` | `C:\Windows\System32` | +| `%ALLUSERSPROFILE%` | `C:\ProgramData` | +| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` | +| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` | +| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` | +| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` | +| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` | +| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` | +| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` | +| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` | +| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs | +| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` | +| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` | +| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` | +| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` | +| `%PUBLIC%` | `C:\Users\Public` | +| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` | +| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` | +| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` | +| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` | +| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` | +| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` | +| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` | +| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` | +| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` | +| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` | +| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` | +| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` | +| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` | +| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` | ## Review the list of exclusions @@ -490,7 +279,7 @@ You can retrieve the items in the exclusion list using one of the following meth If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md index e9c99642d5..4b69f181b0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure local overrides for Microsoft Defender AV settings description: Enable or disable users from locally changing settings in Microsoft Defender AV. keywords: local override, local policy, group policy, gpo, lockdown,merge, lists search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 02/13/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index a3d582510d..6185228b0b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus features description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure Microsoft Defender Antivirus features @@ -37,15 +38,16 @@ The following broad categories of features can be configured: - Cloud-delivered protection - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints +- How end users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. +|Article |Description | +|---------|---------| +|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. | +|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. | +|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. | + +> [!TIP] +> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 8ee17ca054..f00a35da1f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure and validate Microsoft Defender Antivirus network connections description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service. keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/08/2020 +ms.date: 12/28/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and validate Microsoft Defender Antivirus network connections @@ -23,7 +24,7 @@ manager: dansimp **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. @@ -62,7 +63,7 @@ The table below lists the services and their associated URLs. Make sure that the | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
      `ussus1westprod.blob.core.windows.net`
      `usseu1northprod.blob.core.windows.net`
      `usseu1westprod.blob.core.windows.net`
      `ussuk1southprod.blob.core.windows.net`
      `ussuk1westprod.blob.core.windows.net`
      `ussas1eastprod.blob.core.windows.net`
      `ussas1southeastprod.blob.core.windows.net`
      `ussau1eastprod.blob.core.windows.net`
      `ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
      `http://www.microsoft.com/pkiops/certs`
      `http://crl.microsoft.com/pki/crl/products`
      `http://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
      `settings-win.data.microsoft.com`| +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
      `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -85,8 +86,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. -Download the file by visiting the following link: -- https://aka.ms/ioavtest +Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest). >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. @@ -105,16 +105,16 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. +3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). - The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md). + The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index 609661e280..1660b6284e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus notifications description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints. keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure the notifications that appear on endpoints @@ -76,7 +77,7 @@ You can use Group Policy to: Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. > [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 95de8ec073..52641f673b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. keywords: Microsoft Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure exclusions for files opened by processes @@ -26,15 +27,16 @@ manager: dansimp You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -This topic describes how to configure exclusion lists for the following: +This article describes how to configure exclusion lists. - +## Examples of exclusions + +|Exclusion | Example | +|---|---| +|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
      `c:\sample\test.exe`
      `d:\internal\files\test.exe` | +|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
      `c:\test\sample\test.exe`
      `c:\test\sample\test2.exe`
      `c:\test\sample\utility.exe` | +|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` | -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
      • c:\sample\test.exe
      • d:\internal\files\test.exe
      -Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
      • c:\test\sample\test.exe
      • c:\test\sample\test2.exe
      • c:\test\sample\utility.exe
      -Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). @@ -42,25 +44,23 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists. -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes - - ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans +### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to exclude files that have been opened by specified processes from scans @@ -74,14 +74,10 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 5. Click **OK**. -![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - - ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -94,11 +90,11 @@ The format for the cmdlets is: The following are allowed as the \: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +|Configuration action | PowerShell cmdlet | +|---|---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove items from the list | `Remove-MpPreference` | >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. @@ -109,11 +105,11 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: ```WMI ExclusionProcess @@ -121,33 +117,24 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - +For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal). ### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
      • C:\MyData\\*
      |
      • Any file opened by C:\MyData\file.exe
      -? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
      • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
      |
      • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
      - - +|Wildcard | Example use | Example matches | +|:---|:---|:---| +|`*` (asterisk)

      Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` | +|Environment variables

      The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` | ## Review the list of exclusions @@ -166,8 +153,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https:// MpCmdRun.exe -CheckExclusion -path ``` ->[!NOTE] ->Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +> [!NOTE] +> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. ### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell @@ -178,7 +165,7 @@ Use the following cmdlet: Get-MpPreference ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Retrieve a specific exclusions list by using PowerShell @@ -189,7 +176,7 @@ $WDAVprefs = Get-MpPreference $WDAVprefs.ExclusionProcess ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md index 5e47aa185b..12fa08755b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable and configure Microsoft Defender Antivirus protection features description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV. keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure behavioral, heuristic, and real-time protection diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md index 83078c2db2..63abc5021b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable and configure Microsoft Defender Antivirus protection capabilities description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.date: 12/16/2019 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md index cc8fa8dec9..95cd08db31 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Remediate and resolve infections detected by Microsoft Defender Antivirus description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder keywords: remediation, fix, remove, threats, quarantine, scan, restore search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure remediation for Microsoft Defender Antivirus scans @@ -39,20 +40,20 @@ To configure these settings: 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings. -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled| +|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days | +|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) | +|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed | +|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable | +|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable | > [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 1fa6c1665b..c04445eb32 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -1,11 +1,11 @@ --- -title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 +title: Configure Microsoft Defender Antivirus exclusions on Windows Server ms.reviewer: manager: dansimp -description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions. +description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions. keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,14 +13,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen +ms.technology: mde +ms.date: 02/10/2021 --- # Configure Microsoft Defender Antivirus exclusions on Windows Server [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** -Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > [!NOTE] > Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. @@ -31,33 +36,29 @@ In addition to server role-defined automatic exclusions, you can add or remove c ## A few points to keep in mind +Keep the following important points in mind: + - Custom exclusions take precedence over automatic exclusions. - - Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. - - Custom and duplicate exclusions do not conflict with automatic exclusions. - - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions -In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. +In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. > [!WARNING] -> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. +> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles. Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. -### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019 +### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**. - 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. - 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. - 4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. ### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019 @@ -68,11 +69,12 @@ Use the following cmdlets: Set-MpPreference -DisableAutoExclusions $true ``` -[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). +To learn more, see the following resources: -[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). +- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). +- [Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). -### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 +### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019 Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties: @@ -91,54 +93,42 @@ The following sections contain the exclusions that are delivered with automatic This section lists the default exclusions for all Windows Server 2016 and 2019 roles. +> [!NOTE] +> The default locations could be different than what's listed in this article. + #### Windows "temp.edb" files - `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` - - `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log` #### Windows Update files or Automatic Update files - `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` - - `%windir%\SoftwareDistribution\Datastore\*\edb.chk` - - `%windir%\SoftwareDistribution\Datastore\*\edb\*.log` - - `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` - - `%windir%\SoftwareDistribution\Datastore\*\Res\*.log` #### Windows Security files - `%windir%\Security\database\*.chk` - - `%windir%\Security\database\*.edb` - - `%windir%\Security\database\*.jrs` - - `%windir%\Security\database\*.log` - - `%windir%\Security\database\*.sdb` #### Group Policy files - `%allusersprofile%\NTUser.pol` - - `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` - - `%SystemRoot%\System32\GroupPolicy\User\registry.pol` #### WINS files - `%systemroot%\System32\Wins\*\*.chk` - - `%systemroot%\System32\Wins\*\*.log` - - `%systemroot%\System32\Wins\*\*.mdb` - - `%systemroot%\System32\LogFiles\` - - `%systemroot%\SysWow64\LogFiles\` #### File Replication Service (FRS) exclusions @@ -146,9 +136,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - `%windir%\Ntfrs\jet\sys\*\edb.chk` - - `%windir%\Ntfrs\jet\*\Ntfrs.jdb` - - `%windir%\Ntfrs\jet\log\*\*.log` - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory` @@ -169,95 +157,44 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions). - `%systemdrive%\System Volume Information\DFSR\$db_normal$` - - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*` - - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*` - - `%systemdrive%\System Volume Information\DFSR\*.XML` - - `%systemdrive%\System Volume Information\DFSR\$db_dirty$` - - `%systemdrive%\System Volume Information\DFSR\$db_clean$` - - `%systemdrive%\System Volume Information\DFSR\$db_lostl$` - - `%systemdrive%\System Volume Information\DFSR\Dfsr.db` - - `%systemdrive%\System Volume Information\DFSR\*.frx` - - `%systemdrive%\System Volume Information\DFSR\*.log` - - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - - `%systemdrive%\System Volume Information\DFSR\Tmp.edb` #### Process exclusions - `%systemroot%\System32\dfsr.exe` - - `%systemroot%\System32\dfsrs.exe` #### Hyper-V exclusions -This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role +The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role. -- File type exclusions: - - - `*.vhd` - - - `*.vhdx` - - - `*.avhd` - - - `*.avhdx` - - - `*.vsv` - - - `*.iso` - - - `*.rct` - - - `*.vmcx` - - - `*.vmrs` - -- Folder exclusions: - - - `%ProgramData%\Microsoft\Windows\Hyper-V` - - - `%ProgramFiles%\Hyper-V` - - - `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` - - - `%Public%\Documents\Hyper-V\Virtual Hard Disks` - -- Process exclusions: - - - `%systemroot%\System32\Vmms.exe` - - - `%systemroot%\System32\Vmwp.exe` +|File type exclusions |Folder exclusions | Process exclusions | +|:--|:--|:--| +| `*.vhd`
      `*.vhdx`
      `*.avhd`
      `*.avhdx`
      `*.vsv`
      `*.iso`
      `*.rct`
      `*.vmcx`
      `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V`
      `%ProgramFiles%\Hyper-V`
      `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
      `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe`
      `%systemroot%\System32\Vmwp.exe` | #### SYSVOL files - `%systemroot%\Sysvol\Domain\*.adm` - - `%systemroot%\Sysvol\Domain\*.admx` - - `%systemroot%\Sysvol\Domain\*.adml` - - `%systemroot%\Sysvol\Domain\Registry.pol` - - `%systemroot%\Sysvol\Domain\*.aas` - - `%systemroot%\Sysvol\Domain\*.inf` - -- `%systemroot%\Sysvol\Domain\*.Scripts.ini` - +- `%systemroot%\Sysvol\Domain\*Scripts.ini` - `%systemroot%\Sysvol\Domain\*.ins` - - `%systemroot%\Sysvol\Domain\Oscfilter.ini` + ### Active Directory exclusions This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services. @@ -267,7 +204,6 @@ This section lists the exclusions that are delivered automatically when you inst The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` - `%windir%\Ntds\ntds.dit` - - `%windir%\Ntds\ntds.pat` #### The AD DS transaction log files @@ -275,13 +211,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` - `%windir%\Ntds\EDB*.log` - - `%windir%\Ntds\Res*.log` - - `%windir%\Ntds\Edb*.jrs` - - `%windir%\Ntds\Ntds*.pat` - - `%windir%\Ntds\TEMP.edb` #### The NTDS working folder @@ -289,13 +221,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` - `%windir%\Ntds\Temp.edb` - - `%windir%\Ntds\Edb.chk` #### Process exclusions for AD DS and AD DS-related support files - `%systemroot%\System32\ntfrs.exe` - - `%systemroot%\System32\lsass.exe` ### DHCP Server exclusions @@ -303,13 +233,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` - `%systemroot%\System32\DHCP\*\*.mdb` - - `%systemroot%\System32\DHCP\*\*.pat` - - `%systemroot%\System32\DHCP\*\*.log` - - `%systemroot%\System32\DHCP\*\*.chk` - - `%systemroot%\System32\DHCP\*\*.edb` ### DNS Server exclusions @@ -319,11 +245,8 @@ This section lists the file and folder exclusions and the process exclusions tha #### File and folder exclusions for the DNS Server role - `%systemroot%\System32\Dns\*\*.log` - - `%systemroot%\System32\Dns\*\*.dns` - - `%systemroot%\System32\Dns\*\*.scc` - - `%systemroot%\System32\Dns\*\BOOT` #### Process exclusions for the DNS Server role @@ -335,9 +258,7 @@ This section lists the file and folder exclusions and the process exclusions tha This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. - `%SystemDrive%\ClusterStorage` - - `%clusterserviceaccount%\Local Settings\Temp` - - `%SystemDrive%\mscs` ### Print Server exclusions @@ -347,7 +268,6 @@ This section lists the file type exclusions, folder exclusions, and the process #### File type exclusions - `*.shd` - - `*.spl` #### Folder exclusions @@ -367,36 +287,49 @@ This section lists the folder exclusions and the process exclusions that are del #### Folder exclusions - `%SystemRoot%\IIS Temporary Compressed Files` - - `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files` - - `%SystemDrive%\inetpub\temp\ASP Compiled Templates` - - `%systemDrive%\inetpub\logs` - - `%systemDrive%\inetpub\wwwroot` #### Process exclusions - `%SystemRoot%\system32\inetsrv\w3wp.exe` - - `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` - - `%SystemDrive%\PHP5433\php-cgi.exe` +#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder + +The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default: + +- `%systemroot%\Sysvol\Domain` +- `%systemroot%\Sysvol_DFSR\Domain` + +The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters` + +Exclude the following files from this folder and all its subfolders: + +- `*.adm` +- `*.admx` +- `*.adml` +- `Registry.pol` +- `Registry.tmp` +- `*.aas` +- `*.inf` +- `Scripts.ini` +- `*.ins` +- `Oscfilter.ini` + ### Windows Server Update Services exclusions This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` - `%systemroot%\WSUS\WSUSContent` - - `%systemroot%\WSUS\UpdateServicesDBFiles` - - `%systemroot%\SoftwareDistribution\Datastore` - - `%systemroot%\SoftwareDistribution\Download` -## Related articles +## See also - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md index 0651cae7a7..10b6622a43 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 6b950c1ad9..a2a610032c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index d2339875a5..01a88d64d7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI keywords: deploy, manage, update, protection, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Deploy, manage, and report on Microsoft Defender Antivirus @@ -42,13 +43,13 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) 2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md index 97eeac6ba1..c27135a1f6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Deploy and enable Microsoft Defender Antivirus +title: Deploy and enable Microsoft Defender Antivirus description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. keywords: deploy, enable, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Deploy and enable Microsoft Defender Antivirus @@ -29,11 +30,11 @@ Depending on the management tool you are using, you may need to specifically ena See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). -Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. +Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. -The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). +The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). -## Related topics +## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 8139e27e9a..ef143bfe39 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -3,16 +3,17 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/31/2020 -ms.reviewer: +ms.date: 12/28/2020 +ms.reviewer: jesquive manager: dansimp +ms.technology: mde --- # Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment @@ -28,7 +29,7 @@ In addition to standard on-premises or hardware configurations, you can also use See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection). With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. @@ -49,7 +50,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De ## Set up a dedicated VDI file share -In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. +In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell. ### Use Group Policy to enable the shared security intelligence feature: @@ -63,7 +64,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. -6. Enter `\\\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). +6. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 7. Click **OK**. @@ -81,14 +82,13 @@ See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec ## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). +Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell -$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' +$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-" $vdmpathtime = Get-Date -format "yMMddHHmmss" $vdmpath = $vdmpathbase + $vdmpathtime + '}' $vdmpackage = $vdmpath + '\mpam-fe.exe' -$args = @("/x") New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null @@ -98,7 +98,7 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. -We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact. +We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit. @@ -106,23 +106,25 @@ Security intelligence packages are typically published once every three to four 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel. -2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**. +2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**. -3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. +3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**. 4. You can choose to configure additional settings if you wish. -5. Click **OK** to save the scheduled task. +5. Select **OK** to save the scheduled task. You can initiate the update manually by right-clicking on the task and clicking **Run**. ### Download and unpackage manually -If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior: +If you would prefer to do everything manually, here's what to do to replicate the script’s behavior: 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. -2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`. +2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}` + +Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}` > [!NOTE] > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. @@ -138,74 +140,99 @@ If you would prefer to do everything manually, this what you would need to do to Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan. See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ## Use quick scans -You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. +2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. + +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. ## Prevent notifications -Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Client Interface**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Double-click **Suppress all notifications** and set the option to **Enabled**. +2. Select **Suppress all notifications** and then edit the policy settings. -3. Click **OK**. +3. Set the policy to **Enabled**, and then select **OK**. -This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +4. Deploy your Group Policy object as you usually do. + +Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> To open the Action Center on Windows 10, take one of the following steps: +> - On the right end of the taskbar, select the Action Center icon. +> - Press the Windows logo key button + A. +> - On a touchscreen device, swipe in from the right edge of the screen. ## Disable scans after an update -This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. +2. Select **Turn on scan after security intelligence update** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Disabled**. -This prevents a scan from running immediately after an update. +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. + +This policy prevents a scan from running immediately after an update. ## Scan VMs that have been offline -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. +2. Select **Turn on catch-up quick scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**. -This forces a scan if the VM has missed two or more consecutive scheduled scans. +4. Select **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy forces a scan if the VM has missed two or more consecutive scheduled scans. ## Enable headless UI mode -1. Double-click **Enable headless UI mode** and set the option to **Enabled**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Click **OK**. +2. Select **Enable headless UI mode** and edit the policy. -This hides the entire Microsoft Defender AV user interface from users. +3. Set the policy to **Enabled**. + +4. Click **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. ## Exclusions Exclusions can be added, removed, or customized to suit your needs. -For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). +For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 4c9c47828e..eedb6be8ae 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: detect ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: +ms.date: 02/03/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Detect and block potentially unwanted applications @@ -31,136 +32,155 @@ manager: dansimp Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. -For example: +Here are some examples: -* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. +- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages. +- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). +> [!TIP] +> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. -## How it works +PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016. -### Microsoft Edge +## Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). +The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -#### Enable PUA protection in Chromium-based Microsoft Edge +### Enable PUA protection in Chromium-based Microsoft Edge Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. 1. Select the ellipses, and then choose **Settings**. -2. Select **Privacy and services**. -3. Under the **Services** section, turn on **Block potentially unwanted apps**. +2. Select **Privacy, search, and services**. +3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/). -#### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. +[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. -### Microsoft Defender Antivirus +## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] -> This feature is only available in Windows 10. +> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content. The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Microsoft Defender Antivirus +### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] -> You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. +> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -##### Use Intune to configure PUA protection +#### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -##### Use Configuration Manager to configure PUA protection +#### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). +PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch). -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch). For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] > PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. -##### Use Group Policy to configure PUA protection +#### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. +1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) +2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). +3. Select the Group Policy Object you want to configure, and then choose **Edit**. +4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. +6. Double-click **Configure detection for potentially unwanted applications**. +7. Select **Enabled** to enable PUA protection. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. +9. Deploy your Group Policy object as you usually do. -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +#### Use PowerShell cmdlets to configure PUA protection -3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. - -4. Double-click **Configure protection for potentially unwanted applications**. - -5. Select **Enabled** to enable PUA protection. - -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. - -##### Use PowerShell cmdlets to configure PUA protection - -###### To enable PUA protection +##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -###### To set PUA protection to audit mode +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. + +##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. -###### To disable PUA protection +Setting `AuditMode` detects PUAs without blocking them. + +##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. + +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -#### View PUA events +## View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: + +```console +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. -#### Allow-listing apps +## Excluding files -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list. -## Related articles +For more information, see [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). + +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index 7e6ac508a9..483ca94393 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -1,27 +1,28 @@ --- -title: Enable cloud-delivered protection in Microsoft Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +title: Turn on cloud-delivered protection in Microsoft Defender Antivirus +description: Turn on cloud-delivered protection to benefit from fast and advanced protection features. keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- -# Enable cloud-delivered protection +# Turn on cloud-delivered protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. @@ -29,55 +30,60 @@ ms.custom: nextgen Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets. + + You can also turn it on or off in individual clients with the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. +For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md). > [!NOTE] -> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. +> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839). -## Use Intune to enable cloud-delivered protection +## Use Intune to turn on cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. On the **Home** pane, select **Device configuration > Profiles**. +3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. - -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) -## Use Configuration Manager to enable cloud-delivered protection +## Use Microsoft Endpoint Manager to turn on cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: + 1. **High**: Applies a strong level of detection. + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). + 3. **Zero tolerance**: Blocks all unknown executables. +6. Select **Review + save**, then choose **Save**. -## Use Group Policy to enable cloud-delivered protection +For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service). -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +## Use Group Policy to turn on cloud-delivered protection -2. In the **Group Policy Management Editor** go to **Computer configuration**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. + +2. In the **Group Policy Management Editor**, go to **Computer configuration**. 3. Select **Administrative templates**. 4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** -5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. +5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. -6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following: +6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either: 1. **Send safe samples** (1) 2. **Send all samples** (3) @@ -88,18 +94,18 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > [!WARNING] > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -7. Click **OK**. +7. Select **OK**. -## Use PowerShell cmdlets to enable cloud-delivered protection +## Use PowerShell cmdlets to turn on cloud-delivered protection -Use the following cmdlets to enable cloud-delivered protection: +The following cmdlets can turn on cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. @@ -107,7 +113,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u >[!WARNING] > Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -## Use Windows Management Instruction (WMI) to enable cloud-delivered protection +## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: @@ -116,33 +122,31 @@ MAPSReporting SubmitSamplesConsent ``` -See the following for more information and allowed parameters: +For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -## Enable cloud-delivered protection on individual clients with the Windows Security app +## Turn on cloud-delivered protection on individual clients with the Windows Security app > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. +> [!NOTE] +> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. -## Related topics +## Related articles - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) - [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) - [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index 0cba7e0b50..e56c78b8f3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Evaluate Microsoft Defender Antivirus description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mde-turn-tamperprotect-on.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mde-turn-tamperprotect-on.png new file mode 100644 index 0000000000..f7fa41a4ac Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mde-turn-tamperprotect-on.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png new file mode 100644 index 0000000000..5a8def8136 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 1edd31f232..0e6a552e4c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index efb0cb995d..8dc17adfac 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Apply Microsoft Defender Antivirus updates after certain events description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/17/2018 ms.reviewer: pahuijbr manager: dansimp +ms.technology: mde --- # Manage event-based forced updates @@ -33,7 +34,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c ### Use Configuration Manager to check for protection updates before running a scan -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index b6b1f9f8bb..668830b824 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Apply Microsoft Defender AV protection updates to out of date endpoints description: Define when and how updates should be applied for endpoints that have not updated in a while. keywords: updates, protection, out-of-date, outdated, old, catch-up search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date @@ -37,7 +38,7 @@ If Microsoft Defender Antivirus did not download protection updates for a specif ### Use Configuration Manager to configure catch-up protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section and configure the following settings: @@ -166,7 +167,7 @@ See the following for more information and allowed parameters: ### Use Configuration Manager to configure catch-up scans -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index c9d0582201..494811e6e8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Schedule Microsoft Defender Antivirus protection updates -description: Schedule the day, time, and interval for when protection updates should be downloaded +description: Schedule the day, time, and interval for when protection updates should be downloaded keywords: updates, security baselines, schedule updates search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security search.appverid: met150 ms.mktglfcycl: manage ms.sitesec: library @@ -12,9 +12,9 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp +ms.technology: mde --- # Manage the schedule for when protection updates should be downloaded and applied @@ -38,7 +38,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Configuration Manager to schedule protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 604fc20a9a..acd96cc68b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,18 +1,19 @@ --- -title: Manage how and where Microsoft Defender AV receives updates +title: Manage how and where Microsoft Defender Antivirus receives updates description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Manage the sources for Microsoft Defender Antivirus protection updates @@ -22,7 +23,7 @@ ms.custom: nextgen **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22146631) @@ -71,7 +72,7 @@ Each source has typical scenarios that depend on how your network is configured, |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| |File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| -|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| +|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.| |Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
      Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. @@ -111,7 +112,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch). ## Use PowerShell cmdlets to manage the update location @@ -170,7 +171,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence MD C:\Temp\TempSigs\x86 ``` -3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). +3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). 4. Click **Manual Download**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index f562eb572d..e95120c0b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines description: Manage how Microsoft Defender Antivirus receives protection and product updates. keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp -ms.date: 11/06/2020 +ms.date: 02/12/2021 +ms.technology: mde --- # Manage Microsoft Defender Antivirus updates and apply baselines @@ -27,15 +28,14 @@ ms.date: 11/06/2020 There are two types of updates related to keeping Microsoft Defender Antivirus up to date: - - Security intelligence updates - - Product updates +- Security intelligence updates +- Product updates > [!IMPORTANT] > Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. -> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). +> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). > -> You can use the below URL to find out what are the current versions: -> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info) +> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info). ## Security intelligence updates @@ -48,6 +48,8 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). +For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes). + Engine updates are included with security intelligence updates and are released on a monthly cadence. ## Product updates @@ -63,20 +65,56 @@ You can manage the distribution of updates through one of the following methods: For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] -> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server. +> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). ## Monthly platform and engine versions -For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). +For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). All our updates contain - performance improvements; - serviceability improvements; and - integration improvements (Cloud, Microsoft 365 Defender). -
      - +

      + January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5) + + Security intelligence update version: **1.327.1854.0** + Released: **February 2, 2021** + Platform: **4.18.2101.9** + Engine: **1.1.17800.5** + Support phase: **Security and Critical Updates** + +### What's new + +- Additional failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled +- Shellcode exploit detection improvements +- Increased visibility for credential stealing attempts +- Improvements in antitampering features in Microsoft Defender Antivirus services +- Improved support for ARM x64 emulation +- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection + +### Known Issues +No known issues +
      +
      + November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4) + + Security intelligence update version: **1.327.1854.0** + Released: **December 03, 2020** + Platform: **4.18.2011.6** + Engine: **1.1.17700.4** + Support phase: **Security and Critical Updates** + +### What's new + +- Improved [SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) status support logging + +### Known Issues +No known issues +
      +
      October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)  Security intelligence update version: **1.327.7.0** @@ -86,24 +124,33 @@ All our updates contain  Support phase: **Security and Critical Updates** ### What's new + - New descriptions for special threat categories - Improved emulation capabilities - Improved host address allow/block capabilities - New option in Defender CSP to Ignore merging of local user exclusions ### Known Issues + No known issues
      -
      +
      + +### Previous version updates: Technical upgrade support only + +After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only. +

      +
      September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)  Security intelligence update version: **1.325.10.0**  Released: **October 01, 2020**  Platform: **4.18.2009.7**  Engine: **1.1.17500.4** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new + - Admin permissions are required to restore files in quarantine - XML formatted events are now supported - CSP support for ignoring exclusion merges @@ -115,6 +162,7 @@ No known issues - Improved Office VBA module scanning ### Known Issues + No known issues
      @@ -125,8 +173,8 @@ No known issues  Released: **August 27, 2020**  Platform: **4.18.2008.9**  Engine: **1.1.17400.5** - Support phase: **Security and Critical Updates** - + Support phase: **Technical upgrade support (only)** + ### What's new - Add more telemetry events @@ -149,11 +197,12 @@ No known issues  Released: **July 28, 2020**  Platform: **4.18.2007.8**  Engine: **1.1.17300.4** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* Improved telemetry for BITS -* Improved Authenticode code signing certificate validation + +- Improved telemetry for BITS +- Improved Authenticode code signing certificate validation ### Known Issues No known issues @@ -167,15 +216,16 @@ No known issues  Released: **June 22, 2020**  Platform: **4.18.2006.10**  Engine: **1.1.17200.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -* Skipping aggressive catchup scan in Passive mode. -* Allow Defender to update on metered connections -* Fixed performance tuning when caching is disabled -* Fixed registry query -* Fixed scantime randomization in ADMX + +- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +- Skipping aggressive catchup scan in Passive mode. +- Allow Defender to update on metered connections +- Fixed performance tuning when caching is disabled +- Fixed registry query +- Fixed scantime randomization in ADMX ### Known Issues No known issues @@ -189,15 +239,16 @@ No known issues  Released: **May 26, 2020**  Platform: **4.18.2005.4**  Engine: **1.1.17100.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Improved logging for scan events -* Improved user mode crash handling. -* Added event tracing for Tamper protection -* Fixed AMSI Sample submission -* Fixed AMSI Cloud blocking -* Fixed Security update install log + +- Improved logging for scan events +- Improved user mode crash handling. +- Added event tracing for Tamper protection +- Fixed AMSI Sample submission +- Fixed AMSI Cloud blocking +- Fixed Security update install log ### Known Issues No known issues @@ -211,16 +262,16 @@ No known issues  Released: **April 30, 2020**  Platform: **4.18.2004.6**  Engine: **1.1.17000.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* WDfilter improvements -* Add more actionable event data to attack surface reduction detection events -* Fixed version information in diagnostic data and WMI -* Fixed incorrect platform version in UI after platform update -* Dynamic URL intel for Fileless threat protection -* UEFI scan capability -* Extend logging for updates +- WDfilter improvements +- Add more actionable event data to attack surface reduction detection events +- Fixed version information in diagnostic data and WMI +- Fixed incorrect platform version in UI after platform update +- Dynamic URL intel for Fileless threat protection +- UEFI scan capability +- Extend logging for updates ### Known Issues No known issues @@ -234,15 +285,15 @@ No known issues  Released: **March 24, 2020**  Platform: **4.18.2003.8**  Engine: **1.1.16900.4** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) -* Improve diagnostic capability -* reduce Security intelligence timeout (5 min) -* Extend AMSI engine internal log capability -* Improve notification for process blocking +- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +- Improve diagnostic capability +- reduce Security intelligence timeout (5 min) +- Extend AMSI engine internal log capability +- Improve notification for process blocking ### Known Issues [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. @@ -255,11 +306,11 @@ No known issues February-2020 (Platform: - | Engine: 1.1.16800.2) - Security intelligence update version: **1.311.4.0** - Released: **February 25, 2020** - Platform/Client: **-** - Engine: **1.1.16800.2** - Support phase: **N/A** + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **Technical upgrade support (only)** ### What's new @@ -277,24 +328,27 @@ Security intelligence update version: **1.309.32.0** Released: **January 30, 2020** Platform/Client: **4.18.2001.10** Engine: **1.1.16700.2** -Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Fixed BSOD on WS2016 with Exchange -* Support platform updates when TMP is redirected to network path -* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.3 hang +- Fixed BSOD on WS2016 with Exchange +- Support platform updates when TMP is redirected to network path +- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +- Fix 4.18.1911.3 hang ### Known Issues + [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
      > [!IMPORTANT] -> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
      This update has reboot flag for systems that are experiencing the hang issue.
      the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. -
      -> [!IMPORTANT] -> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) +> This update is: +> - needed by RS1 devices running lower version of the platform to support SHA2; +> - has a reboot flag for systems that have hanging issues; +> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability; +> - is categorized as an update due to the reboot requirement; and +> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
      @@ -309,24 +363,23 @@ Support phase: **No support** ### What's new -* Fixed MpCmdRun tracing level -* Fixed WDFilter version info -* Improve notifications (PUA) -* add MRT logs to support files +- Fixed MpCmdRun tracing level +- Fixed WDFilter version info +- Improve notifications (PUA) +- add MRT logs to support files ### Known Issues When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
      + ## Microsoft Defender Antivirus platform support Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: - -* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. +- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. - -* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* +- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* \* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. @@ -337,23 +390,115 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve |Windows 10 release |Platform version |Engine version |Support phase | |:---|:---|:---|:---| -|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) | -|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | -|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | -|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | -|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | -|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | -|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | -|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) | +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +## Updates for Deployment Image Servicing and Management (DISM) -## See also +We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. + +For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). + +
      +1.1.2102.03 + + Package version: **1.1.2102.03** + Platform version: **4.18.2011.6** + Engine version: **1.17800.5** + Signature version: **1.331.174.0** + +### Fixes +- None + +### Additional information +- None +
      +
      +1.1.2101.02 + + Package version: **1.1.2101.02** + Platform version: **4.18.2011.6** + Engine version: **1.17700.4** + Signature version: **1.329.1796.0** + +### Fixes +- None + +### Additional information +- None +
      +
      +1.1.2012.01 + + Package version: **1.1.2012.01** + Platform version: **4.18.2010.7** + Engine version: **1.17600.5** + Signature version: **1.327.1991.0** + +### Fixes +- None + +### Additional information +- None +
      +
      +1.1.2011.02 + + Package version: **1.1.2011.02** + Platform version: **4.18.2010.7** + Engine version: **1.17600.5** + Signature version: **1.327.658.0** + +### Fixes +- None + +### Additional information +- Refreshed Microsoft Defender Antivirus signatures +
      +
      +1.1.2011.01 + + Package version: **1.1.2011.01** + Platform version: **4.18.2009.7** + Engine version: **1.17600.5** + Signature version: **1.327.344.0** + +### Fixes +- None + +### Additional information +- None +
      +
      +1.1.2009.10 + + Package version: **1.1.2011.01** + Platform version: **4.18.2008.9** + Engine version: **1.17400.5** + Signature version: **1.327.2216.0** + +### Fixes +- None + +### Additional information +- Added support for Windows 10 RS1 or later OS install images. +
      +
      + +## Additional resources | Article | Description | |:---|:---| -|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. | +|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. | +|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. | |[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. | |[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. | |[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index fbbf677933..8f192cc64b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Define how mobile devices are updated by Microsoft Defender AV -description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates. +title: Define how mobile devices are updated by Microsoft Defender Antivirus +description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates. keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,9 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage updates for mobile devices and virtual machines (VMs) @@ -25,53 +25,56 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. +Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates. -There are two settings that are particularly useful for these devices: +There are two settings that are useful for these devices: -- Opt-in to Microsoft Update on mobile computers without a WSUS connection +- Opt in to Microsoft Update on mobile computers without a WSUS connection - Prevent Security intelligence updates when running on battery power -The following topics may also be useful in these situations: +The following articles may also be useful in these situations: - [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) -## Opt-in to Microsoft Update on mobile computers without a WSUS connection +## Opt in to Microsoft Update on mobile computers without a WSUS connection You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. -You can opt-in to Microsoft Update on the mobile device in one of the following ways: +You can opt in to Microsoft Update on the mobile device in one of the following ways: -1. Change the setting with Group Policy -2. Use a VBScript to create a script, then run it on each computer in your network. -3. Manually opt-in every computer on your network through the **Settings** menu. +- Change the setting with Group Policy. +- Use a VBScript to create a script, then run it on each computer in your network. +- Manually opt in every computer on your network through the **Settings** menu. -### Use Group Policy to opt-in to Microsoft Update +### Use Group Policy to opt in to Microsoft Update -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. -6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. +5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**. -### Use a VBScript to opt-in to Microsoft Update +### Use a VBScript to opt in to Microsoft Update -1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -2. Run the VBScript you created on each computer in your network. +1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -### Manually opt-in to Microsoft Update +2. Run the VBScript you created on each computer in your network. -1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. -2. Click **Advanced** options. -3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. +### Manually opt in to Microsoft Update + +1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in. + +2. Select **Advanced** options. + +3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. ## Prevent Security intelligence updates when running on battery power @@ -79,17 +82,15 @@ You can configure Microsoft Defender Antivirus to only download protection updat ### Use Group Policy to prevent security intelligence updates on battery power -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: - - 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. - 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**. +This action prevents protection updates from downloading when the PC is on battery power. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 09984de193..683610ed5c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -1,26 +1,26 @@ --- title: Microsoft Defender Antivirus compatibility with other security products -description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. -keywords: windows defender, atp, advanced threat protection, compatibility, passive mode +description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using. +keywords: windows defender, next-generation, antivirus, compatibility, passive mode search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: tewchen, pahuijbr, shwjha manager: dansimp -ms.date: 11/06/2020 +ms.date: 02/09/2021 +ms.technology: mde --- # Microsoft Defender Antivirus compatibility [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) @@ -34,32 +34,41 @@ Microsoft Defender Antivirus is automatically enabled and installed on endpoints ## Antivirus and Microsoft Defender for Endpoint -The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. | Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | |------|------|-------|-------| -| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | -| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | -| Windows 10 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | -| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode | +| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows 10 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Must be set to passive mode (manually) [[1](#fn1)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) [[2](#fn2)] | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] | -(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. +(1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. -If you are using Windows Server, version 1803 or Windows Server 2019, you can enable passive mode by setting this registry key: +If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: ForceDefenderPassiveMode -- Type: REG_DWORD -- Value: 1 +- Name: `ForceDefenderPassiveMode` +- Type: `REG_DWORD` +- Value: `1` -See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. +> [!NOTE] +> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016. + +(2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server. + +See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. > [!IMPORTANT] -> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. +> Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019. > > In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. > @@ -67,40 +76,53 @@ See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-def ## Functionality and features available in each state -The following table summarizes the functionality and features that are available in each state: +The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled. -|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | -|--|--|--|--|--|--| -|Active mode

      |Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | -|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | -|Automatic disabled mode |No |Yes |No |No |No | +> [!IMPORTANT] +> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. -- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. -- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. +|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled | +|:---|:---|:---|:---|:---| +| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | +| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | +| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No | +| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No | +| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | + +(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. + +(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. + +> [!NOTE] +> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode. ## Keep the following points in mind -If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -When Microsoft Defender Antivirus is automatically disabled, it can automatically re-enabled if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. +- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. -If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. + +- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. + +- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. + +- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. For optimal security layered defense and detection efficacy, please ensure that you update the [Microsoft Defender Antivirus protection (Security intelligence update, Engine and Platform)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) even if Microsoft Defender Antivirus is running in passive mode. + + If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically. > [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). +> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). -> [!IMPORTANT] -> If you are using [Microsoft Endpoint DLP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled, even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate. ## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) +- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) -- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client) +- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) +- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index f141caebc4..63a22fd4f7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -1,37 +1,37 @@ --- title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 +description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection. keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: high author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 +ms.date: 12/16/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- -# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 +# Next-generation protection in Windows [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Microsoft Defender Antivirus: Your next-generation protection -Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities: -- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. -- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date. +- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware. +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats. +- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date. ## Try a demo! @@ -42,7 +42,7 @@ Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microso ## Minimum system requirements -Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: +Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources: - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) @@ -54,8 +54,8 @@ For information on how to configure next-generation protection services, see [Co > [!Note] > Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md). -## Related articles +## See also +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) - [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md) - - [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 0b7e4ccdd6..0f1c9bbc2f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -1,33 +1,35 @@ --- -title: Microsoft Defender Antivirus on Windows Server 2016 and 2019 +title: Microsoft Defender Antivirus on Windows Server description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019. keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 -ms.reviewer: +ms.date: 01/21/2021 +ms.reviewer: pahuijbr, shwjha manager: dansimp +ms.technology: mde --- -# Microsoft Defender Antivirus on Windows Server 2016 and 2019 +# Microsoft Defender Antivirus on Windows Server [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- Windows Server 2016 +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Microsoft Defender Antivirus is available on the following editions/versions of Windows Server: - Windows Server 2019 +- Windows Server, version 1803 or later +- Windows Server 2016. -Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. - -While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: +In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server: - In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. @@ -36,35 +38,29 @@ While the functionality, configuration, and management are largely the same for The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) +1. [Enable the interface](#enable-the-user-interface-on-windows-server). +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server). +3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running). +4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). +5. (As needed) [Submit samples](#submit-samples). +6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions). +7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode). -2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) +## Enable the user interface on Windows Server -2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) - -3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) - -4. (As needed) [Submit samples](#submit-samples) - -5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) - -6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) - -## Enable the user interface on Windows Server 2016 or 2019 - -By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets. ### Turn on the GUI using the Add Roles and Features Wizard -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. +1. See [Install roles, role services, and features by using the add Roles and Features Wizard](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. 2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option. -In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: + In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: -![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) + ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) -In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same. + In Windows Server 2019, the **Add Roles and Feature Wizard** is similar. ### Turn on the GUI using PowerShell @@ -74,7 +70,7 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` -## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019 +## Install Microsoft Defender Antivirus on Windows Server You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus. @@ -119,16 +115,16 @@ The `sc query` command returns information about the Microsoft Defender Antiviru ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. +To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. -By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods: +By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods: |Method |Description | |---------|---------| |**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
      - **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | |**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** | -|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
      - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
      - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | +|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
      - **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
      - **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | To ensure that protection from malware is maintained, we recommend that you enable the following services: @@ -162,10 +158,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an |Setting |Description | |---------|---------| -|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | -|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | -|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. | -|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | +|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. | +|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions @@ -173,38 +169,29 @@ To help ensure security and performance, certain exclusions are automatically ad See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Microsoft Defender Antivirus? +## Need to set Microsoft Defender Antivirus to passive mode? -If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources: +If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode. -- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). +### Set Microsoft Defender Antivirus to passive mode using a registry key -- See [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. +If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` +- Name: `ForceDefenderPassiveMode` +- Type: `REG_DWORD` +- Value: `1` -If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections. +### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard -### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard +1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. +2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. -2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option. - - If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. + If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. - Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. + Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Uninstall Microsoft Defender Antivirus using PowerShell - ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. - -The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019: - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender -``` - -### Turn off the GUI using PowerShell +### Turn off the Microsoft Defender Antivirus user interface using PowerShell To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: @@ -212,11 +199,22 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c Uninstall-WindowsFeature -Name Windows-Defender-GUI ``` +### Are you using Windows Server 2016? -## Related topics +If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus. + +> [!NOTE] +> You can't uninstall the Windows Security app, but you can disable the interface with these instructions. + +The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016: + +```PowerShell +Uninstall-WindowsFeature -Name Windows-Defender +``` + +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - -- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md index 355705569c..b22545f7af 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -3,7 +3,7 @@ title: Microsoft Defender Offline in Windows 10 description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. keywords: scan, defender, offline search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Run and review the results of a Microsoft Defender Offline scan @@ -58,7 +59,7 @@ See the [Manage Microsoft Defender Antivirus Security intelligence updates](man In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint. -The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. +The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints. The prompt can occur via a notification, similar to the following: @@ -70,7 +71,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. -![Microsoft Endpoint Configuration Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) +![Microsoft Endpoint Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) ## Configure notifications diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index e4f4d4c952..81bb63ed13 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus in the Windows Security app description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Microsoft Defender Antivirus in the Windows Security app @@ -29,12 +30,9 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. -> -> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. -> -> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. -> +> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. +> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed. > This will significantly lower the protection of your device and could lead to malware infection. See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. @@ -43,12 +41,11 @@ The Windows Security app is a client interface on Windows 10, version 1703 and l ## Review virus and threat protection settings in the Windows Security app +![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). + ## Comparison of settings and functions of the old app and the new app All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. @@ -59,13 +56,13 @@ The following diagrams compare the location of settings and functions between th ![Microsoft Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png) -Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description ----|---|---|--- -1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) -2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed -3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission -4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan -5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option +| Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description | +|:---|:---|:---|:---| +| 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) | +| 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed | +| 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission | +| 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Antivirus Offline scan | +| 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option | ## Common tasks @@ -79,55 +76,41 @@ This section describes how to perform some of the most common tasks when reviewi ### Run a scan with the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Scan now**. - -4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Scan now**. +4. Select **Run a new advanced scan** to specify different types of scans, such as a full scan. ### Review the security intelligence update version and download the latest updates in the Windows Security app +![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. - - ![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) - -4. Click **Check for updates** to download new protection updates (if there are any). +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. +4. Select **Check for updates** to download new protection updates (if there are any). ### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Virus & threat protection settings**. - +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Virus & threat protection settings**. 4. Toggle the **Real-time protection** switch to **On**. > [!NOTE] > If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. - > - > If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). + > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). ### Add exclusions for Microsoft Defender Antivirus in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Virus & threat protection settings**. - -4. Under the **Exclusions** setting, click **Add or remove exclusions**. - -5. Click the plus icon to choose the type and set the options for each exclusion. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Under the **Manage settings**, select **Virus & threat protection settings**. +4. Under the **Exclusions** setting, select **Add or remove exclusions**. +5. Select the plus icon (**+**) to choose the type and set the options for each exclusion. The following table summarizes exclusion types and what happens: @@ -139,34 +122,26 @@ The following table summarizes exclusion types and what happens: |**File type** |File extension
      Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. | |**Process** |Executable file path
      Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | -To learn more, see: +To learn more, see the following resources: - [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) - [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ### Review threat detection history in the Windows Defender Security Center app - 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - - 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - - 3. Click **Threat history** - - 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Threat history** +4. Select **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). ### Set ransomware protection and recovery options 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Ransomware protection**. - +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Ransomware protection**. 4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard). +5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. -5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. - -## Related articles - +## See also - [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index eb9a31fb16..7f35ddf666 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -1,21 +1,22 @@ --- -title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" -description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more." +title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats +description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more. keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 03/04/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Better together: Microsoft Defender Antivirus and Office 365 @@ -24,9 +25,9 @@ manager: dansimp **Applies to:** - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Microsoft Defender Antivirus -- Office 365 +- Microsoft 365 You might already know that: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 6cc3ece08f..daa0a27d8a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -6,7 +6,7 @@ description: Use tamper protection to prevent malicious apps from changing impor keywords: malware, defender, antivirus, tamper protection search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,7 +14,8 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 10/14/2020 +ms.date: 02/17/2021 +ms.technology: mde --- # Protect security settings with tamper protection @@ -24,12 +25,18 @@ ms.date: 10/14/2020 **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Tamper protection is available for devices that are running one of the following versions of Windows: + - Windows 10 -- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) +- Windows Server 2019 +- Windows Server, version 1803 or later +- Windows Server 2016 ## Overview -During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. +During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as: @@ -44,116 +51,129 @@ With tamper protection, malicious apps are prevented from taking actions such as Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: -- Configuring settings in Registry Editor on your Windows machine +- Configuring settings in Registry Editor on your Windows device - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies -Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team. +Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team. ### What do you want to do? -1. Turn tamper protection on
      - - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine). - - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). - - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006) +| To perform this task... | See this section... | +|:---|:---| +| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) | +| Turn tamper protection on (or off) for all or part of your organization using Intune

      Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) | +| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) | +| Turn tamper protection on (or off) in the Microsoft Defender Security Center

      Manage tamper protection across your tenant

      (Currently in preview) | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) | +| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) | +| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) | +| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) | -2. [View information about tampering attempts](#view-information-about-tampering-attempts). - -3. [Review your security recommendations](#review-your-security-recommendations). - -4. [Browse the frequently asked questions](#view-information-about-tampering-attempts). - -## Turn tamper protection on (or off) for an individual machine +## Manage tamper protection on an individual device > [!NOTE] > Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry. > > To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).) > -> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. +> Once you’ve made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors. -If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this. +If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection. -1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. +Here's what you see in the Windows Security app: +![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) + +1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. - 3. Set **Tamper Protection** to **On** or **Off**. - Here's what you see in the Windows Security app: +## Manage tamper protection for your organization using Intune - ![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) +If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune. -## Turn tamper protection on (or off) for your organization using Intune +### Requirements for managing tamper protection in Intune -If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. +- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations. +- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) +- Your Windows devices must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).) +- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). +- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) -You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. +### Turn tamper protection on (or off) in Intune -1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: +![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png) - - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) - - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) - -2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account. - -3. Select **Devices** > **Configuration Profiles**. - -4. Create a profile as follows: - - - Platform: **Windows 10 and later** - - - Profile type: **Endpoint protection** - - - Category: **Microsoft Defender Security Center** - - - Tamper Protection: **Enabled** - - ![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png) - -5. Assign the profile to one or more groups. +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account. +2. Select **Devices** > **Configuration Profiles**. +3. Create a profile that includes the following settings: + - **Platform: Windows 10 and later** + - **Profile type: Endpoint protection** + - **Category: Microsoft Defender Security Center** + - **Tamper Protection: Enabled** +4. Assign the profile to one or more groups. ### Are you using Windows OS 1709, 1803, or 1809? -If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. +If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. #### Use PowerShell to determine whether tamper protection is turned on 1. Open the Windows PowerShell app. - 2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet. - 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) -## Manage tamper protection with Configuration Manager, version 2006 +## Manage tamper protection for your organization with Configuration Manager, version 2006 > [!IMPORTANT] > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. -If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices. + +![Windows security experience in Endpoint Manager](images/win-security- exp-policy-endpt-security.png) 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). - 2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
      - - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**. - - In the **Profile** list, select **Windows Security experience (preview)**.
      - - The following screenshot illustrates how to create your policy: - - :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager"::: - 3. Deploy the policy to your device collection. -Need help? See the following resources: +### Need help with this? + +See the following resources: - [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings) - - [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) +## Manage tamper protection for your organization using the Microsoft Defender Security Center + +Currently in preview, tamper protection can be turned on or off in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind: + +- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method. +- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006). +- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center. +- Tamper protection is generally available; however, the ability to manage tamper protection in the Microsoft Defender Security Center is currently in preview. + +### Requirements for managing tamper protection in the Microsoft Defender Security Center + +- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations. +- Your Windows devices must be running one of the following versions of Windows: + - Windows 10 + - [Windows Server 2019](/windows-server/get-started-19/whats-new-19) + - Windows Server, version [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later + - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) + - For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information). +- Your devices must be [onboarded to Microsoft Defender for Endpoint](../microsoft-defender-atp/onboarding.md). +- Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) +- [Cloud-delivered protection must be turned on](enable-cloud-protection-microsoft-defender-antivirus.md). + +### Turn tamper protection on (or off) in the Microsoft Defender Security Center + +![Turn tamper protection on in the Microsoft Defender Security Center](images/mde-turn-tamperprotect-on.png) + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Choose **Settings**. +3. Go to **General** > **Advanced features**, and then turn tamper protection on. ## View information about tampering attempts @@ -181,11 +201,11 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili ### To which Windows OS versions is configuring tamper protection is applicable? -Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). +If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). -### Will tamper protection have any impact on third party antivirus registration? +### Will tamper protection have any impact on third-party antivirus registration? No. Third-party antivirus offerings will continue to register with the Windows Security application. @@ -195,36 +215,27 @@ Devices that are onboarded to Microsoft Defender for Endpoint will have Microsof ### How can I turn tamper protection on/off? -If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). +If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device). If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: -- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) - -- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) +- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune) +- [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) +- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) (currently in preview) ### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy? Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on. -> [!NOTE] -> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. - -To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings. - -Some sample Microsoft Defender Antivirus settings: - -- *Turn off real-time protection*
      - Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
      - Value `DisableRealtimeMonitoring` = 0 - ### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? -If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin). +If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources: +- [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) +- [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? @@ -246,7 +257,7 @@ If a device is off-boarded from Microsoft Defender for Endpoint, tamper protecti Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. -In addition, your security operations team can use hunting queries, such as the following: +Your security operations team can also use hunting queries, such as the following example: `DeviceAlertEvents | where Title == "Tamper Protection bypass"` @@ -254,8 +265,6 @@ In addition, your security operations team can use hunting queries, such as the ## See also -[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) - -[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) - -[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) +- [Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index bc77598593..93d033b274 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Hide the Microsoft Defender Antivirus interface description: You can hide virus and threat protection tile in the Windows Security app. keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index 9b789e6a59..f6c46b93b9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Monitor and report on Microsoft Defender Antivirus protection description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI. keywords: siem, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 12/07/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Report on Microsoft Defender Antivirus @@ -25,7 +26,9 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. + +With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings. @@ -42,5 +45,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s ## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016) - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md index e2ce17b208..e3f5c1f0fe 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Restore quarantined files in Microsoft Defender AV description: You can restore files and folders that were quarantined by Microsoft Defender AV. keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 05/20/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Restore quarantined files in Microsoft Defender AV diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index 44079dd62b..4168fb1d63 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Review the results of Microsoft Defender AV scans +title: Review the results of Microsoft Defender AV scans description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/28/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Review Microsoft Defender Antivirus scan results diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index 04914ca837..5a65b6a165 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize on-demand scans in Microsoft Defender AV description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app keywords: scan, on-demand, dos, intune, instant scan search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,58 +11,65 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and run on-demand Microsoft Defender Antivirus scans [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. - ## Quick scan versus full scan -Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. +Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -> [!IMPORTANT] -> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. +> [!IMPORTANT] +> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. -Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. -In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. +In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans. ->[!NOTE] ->By default, quick scans run on mounted removable devices, such as USB drives. +> [!NOTE] +> By default, quick scans run on mounted removable devices, such as USB drives. -## Use Configuration Manager to run a scan +## Use Microsoft Endpoint Manager to run a scan -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. In the list of tabs, select **Windows 10 unhealthy endpoints**. +4. From the list of actions provided, select **Quick Scan** or **Full Scan**. + +[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox) + +> [!TIP] +> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers). ## Use the mpcmdrun.exe command-line utility to run a scan Use the following `-scan` parameter: -```DOS +```console mpcmdrun.exe -scan -scantype 1 ``` -See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. + +For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md). ## Use Microsoft Intune to run a scan -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Select **...More** and then select **Quick Scan** or **Full Scan**. - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan. +3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**. ## Use the Windows Security app to run a scan @@ -75,15 +82,14 @@ Use the following cmdlet: ```PowerShell Start-MpScan ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. + +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ## Use Windows Management Instruction (WMI) to run a scan -Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class. - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class. +For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index 153100cb9f..ce888c039c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Schedule regular quick and full scans with Microsoft Defender Antivirus description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 11/02/2020 ms.reviewer: pauhijbr manager: dansimp +ms.technology: mde --- # Configure scheduled quick or full Microsoft Defender Antivirus scans diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index 433c59bb6f..1e4c37caba 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -4,7 +4,7 @@ description: Set your level of cloud-delivered protection for Microsoft Defender keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,6 +14,7 @@ ms.date: 10/26/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Specify the cloud-delivered protection level @@ -23,13 +24,13 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy. > [!TIP] > Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates. -> Microsoft Intune and Microsoft Endpoint Configuration Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). +> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). ## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 801706b95c..d0c2933ef9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-pa description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/11/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution @@ -21,7 +22,8 @@ manager: dansimp **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index ba1346ed98..b65212267f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender AV event IDs and error codes description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/11/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md index 4693016f63..0b3b787b77 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md @@ -3,7 +3,7 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 87f46b0cd9..b3383fd1a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus with Group Policy description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 10/01/2018 ms.reviewer: ksarens manager: dansimp +ms.technology: mde --- # Use Group Policy settings to configure and manage Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md index 9b5897d363..75f4f1b7cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune -description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection +description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.custom: nextgen ms.date: 10/26/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- -# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus +# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -25,7 +26,7 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If you were using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. +If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. 1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md index ae51436faa..078fbf7fab 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus. keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 07/23/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md index 51137f3e9e..92f746d03d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus with WMI description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index da103c7192..5bc184057b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ ms.author: deniseb ms.reviewer: shwjha manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection @@ -21,7 +22,7 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. @@ -45,11 +46,11 @@ src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: -- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-microsoft-defender-antivirus-is-the-most-deployed-in-the-enterprise/) -- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) -- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/) -- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-microsoft-defender-antivirus-and-layered-machine-learning-defenses/) -- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/microsoft-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/) +- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise) +- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign) +- [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak) +- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) +- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://www.microsoft.com/security/blog/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware) ## Get cloud-delivered protection @@ -68,7 +69,7 @@ The following table describes the differences in cloud-delivered protection betw |Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No | |Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable | |System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable | -|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | +|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | |Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable | You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates). @@ -82,6 +83,6 @@ You can also [configure Microsoft Defender Antivirus to automatically receive ne - [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy. -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index 56c8f7668f..bf55abf1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -1,19 +1,20 @@ --- -title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint" -description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." +title: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint +description: For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings. keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index aa6d77cbd0..bbab8b350a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 10/17/2017 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Configure Microsoft Defender Application Guard policy settings diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 007fa751d5..60b5e96c41 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -1,22 +1,23 @@ --- title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 11/03/2020 +ms.date: 01/21/2021 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Frequently asked questions - Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. @@ -146,7 +147,7 @@ There is a known issue such that if you change the Exploit Protection settings f ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. -1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**. +1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 2. Disable IpNat.sys from ICS load as follows:
      `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` @@ -159,6 +160,28 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli 5. Reboot the device. +### Why doesn't the container fully load when device control policies are enabled? +Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. + +Policy: Allow installation of devices that match any of these device IDs +- `SCSI\DiskMsft____Virtual_Disk____` +- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` +- `VMS_VSF` +- `root\Vpcivsp` +- `root\VMBus` +- `vms_mp` +- `VMS_VSP` +- `ROOT\VKRNLINTVSP` +- `ROOT\VID` +- `root\storvsp` +- `vms_vsmp` +- `VMS_PP` + +Policy: Allow installation of devices using drivers that match these device setup classes +- `{71a27cdd-812a-11d0-bec7-08002be2092f}` + + + ## See also -[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) \ No newline at end of file +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png index 56acb4be53..99e590e6ca 100644 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 1903c17792..919fc5c18b 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Enable hardware-based isolation for Microsoft Edge (Windows 10) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,12 +12,13 @@ ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Prepare to install Microsoft Defender Application Guard **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index d01a2ef115..2731dfe662 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Application Guard Extension description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 06/12/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Microsoft Defender Application Guard Extension @@ -48,7 +49,7 @@ Enterprise administrators running Application Guard under managed mode should fi From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode. 1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). -1. Install the [Windows Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer. +1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer. 1. Restart the device. ### Recommended browser group policies diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4acd29aa2d..84ae3ac222 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,53 +1,56 @@ --- title: Microsoft Defender Application Guard (Windows 10) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/07/2020 +ms.date: 01/27/2021 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Microsoft Defender Application Guard overview -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? -Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. +For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container. + +For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. -If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. ![Hardware isolation diagram](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? -Application Guard has been created to target several types of systems: +Application Guard has been created to target several types of devices: -- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. +- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. -- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. +- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. -- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. +- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. -- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. +- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. ## Related articles |Article |Description | -|------|------------| +|:------|:------------| |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| -| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide | +| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | +| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 5757f18c10..4444817c21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,7 +1,7 @@ --- title: System requirements for Microsoft Defender Application Guard (Windows 10) description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,11 +12,12 @@ ms.date: 02/11/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # System requirements for Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 6ffce8a986..0c7e53c3fb 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.reviewer: manager: dansimp ms.date: 09/14/2020 ms.custom: asr +ms.technology: mde --- # Application Guard testing scenarios diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 11c95b7ebf..94eacf9749 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -1,30 +1,35 @@ --- -title: "Onboard Windows 10 multi-session devices in Windows Virtual Desktop" -description: "Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop" +title: Onboard Windows 10 multi-session devices in Windows Virtual Desktop +description: Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: dansimp ms.author: dansimp ms.custom: nextgen -ms.date: 09/10/2020 +ms.date: 02/04/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Onboard Windows 10 multi-session devices in Windows Virtual Desktop -6 minutes to read Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + > [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. +> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. > [!WARNING] > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. @@ -32,37 +37,37 @@ Applies to: Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. ## Before you begin -Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts. +Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts. > [!NOTE] -> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either: +> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either: > - Single entry for each virtual desktop > - Multiple entries for each virtual desktop -Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. +Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. -Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. +Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. > [!NOTE] > The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. -### Scenarios +## Scenarios There are several ways to onboard a WVD host machine: - Run the script in the golden image (or from a shared location) during startup. - Use a management tool to run the script. -#### *Scenario 1: Using local group policy* +### Scenario 1: Using local group policy This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process. Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Follow the instructions for a single entry for each device. -#### *Scenario 2: Using domain group policy* +### Scenario 2: Using domain group policy This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. -**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center** +#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center 1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. - Select Windows 10 as the operating system. @@ -70,7 +75,7 @@ This scenario uses a centrally located script and runs it using a domain-based g - Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. -**Use Group Policy management console to run the script when the virtual machine starts** +#### Use Group Policy management console to run the script when the virtual machine starts 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**. 1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7). @@ -85,30 +90,30 @@ Enter the following: Click **OK** and close any open GPMC windows. -#### *Scenario 3: Onboarding using management tools* +### Scenario 3: Onboarding using management tools If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) > [!WARNING] -> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. +> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. > [!TIP] > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). -#### Tagging your machines when building your golden image +## Tagging your machines when building your image As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see [Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). -#### Other recommended configuration settings +## Other recommended configuration settings -When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). +When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: -**Exclude Files:** +### Exclude Files > %ProgramFiles%\FSLogix\Apps\frxdrv.sys
      > %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
      @@ -120,12 +125,12 @@ In addition, if you are using FSlogix user profiles, we recommend you exclude th > \\storageaccount.file.core.windows.net\share\*\*.VHD
      > \\storageaccount.file.core.windows.net\share\*\*.VHDX
      -**Exclude Processes:** +### Exclude Processes > %ProgramFiles%\FSLogix\Apps\frxccd.exe
      > %ProgramFiles%\FSLogix\Apps\frxccds.exe
      > %ProgramFiles%\FSLogix\Apps\frxsvc.exe
      -#### Licensing requirements +## Licensing requirements Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements). diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md index ccf8b5f19e..969ca1a11c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md +++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md @@ -4,7 +4,7 @@ description: Access the Microsoft Defender Security Center MSSP customer portal keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Access the Microsoft Defender Security Center MSSP customer portal +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 94849b6b18..4b005be826 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -3,7 +3,7 @@ title: Add or Remove Machine Tags API description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, tags, machine tags search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Add or Remove Machine Tags API +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -54,7 +60,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ```http -POST https://api.securitycenter.windows.com/api/machines/{id}/tags +POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags ``` ## Request headers @@ -84,11 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -[!include[Improve request performance](../../includes/improve-request-performance.md)] +``` +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags +``` -```http -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 725daf0761..418d398d86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -4,7 +4,7 @@ description: Turn on advanced features such as block file in Microsoft Defender keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,24 +13,31 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure advanced features in Defender for Endpoint +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. -Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: +## Enable advanced features + +1. In the navigation pane, select **Preferences setup** > **Advanced features**. +2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. +3. Click **Save preferences**. + +Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations. ## Automated investigation @@ -42,6 +49,12 @@ Turn on this feature so that users with the appropriate permissions can start a For more information about role assignments, see [Create and manage roles](user-roles.md). +## Live response for servers +Turn on this feature so that users with the appropriate permissions can start a live response session on servers. + +For more information about role assignments, see [Create and manage roles](user-roles.md). + + ## Live response unsigned script execution Enabling this feature allows you to run unsigned scripts in a live response session. @@ -114,22 +127,6 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct >[!NOTE] >You'll need to have the appropriate license to enable this feature. -## Microsoft Secure Score - -Forwards Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. - -### Enable the Defender for Endpoint integration from the Azure ATP portal - -To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. - -1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. - -2. Click **Create your instance**. - -3. Toggle the Integration setting to **On** and click **Save**. - -After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. - ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. @@ -159,6 +156,22 @@ Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings. +## Microsoft Secure Score + +Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. + +### Enable the Microsoft Defender ATP integration from the Azure ATP portal + +To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. + +1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. + +2. Click **Create your instance**. + +3. Toggle the Integration setting to **On** and click **Save**. + +After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. + ## Microsoft Intune connection Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. @@ -178,7 +191,6 @@ When you enable Intune integration, Intune will automatically create a classic C >[!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. - ## Preview features Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. @@ -191,12 +203,6 @@ Forwards endpoint security alerts and their triage status to Microsoft Complianc After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users. -## Enable advanced features - -1. In the navigation pane, select **Preferences setup** > **Advanced features**. -2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. -3. Click **Save preferences**. - ## Related topics - [Update data retention settings](data-retention-settings.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md index 46e60648d1..ec9f2b383d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -1,10 +1,10 @@ --- title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection -description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device +description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # AssignedIPAddresses() [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index bd47d4a12b..3d5528fced 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -4,7 +4,7 @@ description: Learn how to construct fast, efficient, and error-free threat hunti keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: m365-security-compliance +ms.collection: m365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting query best practices @@ -22,8 +23,8 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index 51940745aa..dfd47ce5c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -4,7 +4,7 @@ description: Learn about alert generation events in the DeviceAlertEvents table keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/22/2020 +ms.technology: mde --- # DeviceAlertEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 82be65bdc4..85121c67e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -4,7 +4,7 @@ description: Learn about antivirus, firewall, and other event types in the misce keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 20c0ceb254..9d8a944f7b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -4,7 +4,7 @@ description: Learn about file signing information in the DeviceFileCertificateIn keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/14/2020 +ms.technology: mde --- # DeviceFileCertificateInfo [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 2a453a4169..1f725b1953 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -1,10 +1,10 @@ --- -title: DeviceFileEvents table in the advanced hunting schema +title: DeviceFileEvents table in the advanced hunting schema description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceFileEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index a00c2ef094..2403e7dca0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -4,7 +4,7 @@ description: Learn about DLL loading events in the DeviceImageLoadEvents table o keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceImageLoadEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index 8c806a1b38..e9bb4da83c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,10 +1,10 @@ --- title: DeviceInfo table in the advanced hunting schema description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceInfo [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index c04883052f..8d7bb09379 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -4,7 +4,7 @@ description: Learn about authentication or sign-in events in the DeviceLogonEven keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceLogonEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 467888a9d3..606738f0a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -4,7 +4,7 @@ description: Learn about network connection events you can query from the Device keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceNetworkEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 48ae9ead1e..469cf50647 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -4,7 +4,7 @@ description: Learn about network configuration information in the DeviceNetworkI keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceNetworkInfo [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) @@ -40,8 +41,8 @@ For information on other tables in the advanced hunting schema, see [the advance | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `NetworkAdapterName` | string | Name of the network adapter | | `MacAddress` | string | MAC address of the network adapter | -| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | -| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) | +| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2&preserve-view=true) | +| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2&preserve-view=true) | | `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | | `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | | `DnsAddresses` | string | DNS server addresses in JSON array format | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 921304b30c..3f8c20ce5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -4,7 +4,7 @@ description: Learn about the process spawning or creation events in the DevicePr keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceProcessEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index ec6f722e98..91bf57e992 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -4,7 +4,7 @@ description: Learn about registry events you can query from the DeviceRegistryEv keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceRegistryEvents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index bf6dc4404d..1a30b1c1d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSecureConfigurationAssessment [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index 317e6e26c6..33b5554fd4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema -description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSecureConfigurationAssessmentKB [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index d61956dee5..9a7862714a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -4,7 +4,7 @@ description: Learn about the inventory of software in your devices and their vul keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,22 +13,21 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSoftwareInventoryVulnerabilities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - [!include[Prerelease information](../../includes/prerelease.md)] The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 0779d7d929..bbbfb435dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema -description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSoftwareVulnerabilitiesKB [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md index ab53ab3585..ffff09c519 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md @@ -4,7 +4,7 @@ description: Understand errors displayed when using advanced hunting keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Handle advanced hunting errors @@ -22,11 +23,11 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) - Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors. | Error type | Cause | Resolution | Error message examples | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md index 60566f53f5..e1120e33aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -1,10 +1,10 @@ --- -title: Extend advanced hunting coverage with the right settings -description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting -keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection +title: Extend advanced hunting coverage with the right settings +description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting +keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 10/10/2020 +ms.technology: mde --- # Extend advanced hunting coverage with the right settings @@ -23,8 +24,8 @@ ms.date: 10/10/2020 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) [Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md index 365f8ef6ba..ca6bab10ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md @@ -1,10 +1,10 @@ --- title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection -description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results +description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,16 +13,16 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # FileProfile() **Applies to:** - -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md index 9b8aed20bc..b8df03089a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md @@ -1,29 +1,34 @@ --- -title: Get relevant info about an entity with go hunt -description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting. +title: Get relevant info about an entity with go hunt +description: Learn how to use the go hunt tool to quickly query for relevant information about an entity or event using advanced hunting. keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -f1.keywords: -- NOCSH +f1.keywords: + - NOCSH ms.author: v-maave author: martyav ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Quickly hunt for entity or event information with go hunt [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md index 0516afc2f2..65059297a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md @@ -4,7 +4,7 @@ description: Understand various service limits that keep the advanced hunting se keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting service limits @@ -22,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index e42dbf4cf3..40e92ba327 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -4,7 +4,7 @@ description: Use threat hunting capabilities in Microsoft Defender ATP to build keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Proactively hunt for threats with advanced hunting @@ -22,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 76fd2bee7e..b8df669734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -4,7 +4,7 @@ description: Create your first threat hunting query and learn about common opera keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Learn the advanced hunting query language @@ -22,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index 34db3e0745..062ccc2962 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -4,7 +4,7 @@ description: Make the most of the query results returned by advanced hunting in keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,17 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Work with advanced hunting query results [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index a0988a90d0..17f6ebfe5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -4,7 +4,7 @@ description: Learn about the tables in the advanced hunting schema to understand keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/14/2020 +ms.technology: mde --- # Understand the advanced hunting schema [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 0daf0cbfda..36e806bc85 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -4,7 +4,7 @@ description: Start threat hunting immediately with predefined and shared queries keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use shared queries in advanced hunting [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md index d535b139e2..f1e57a9b92 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -4,7 +4,7 @@ description: Quickly address threats and affected assets in your advanced huntin keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,15 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # Take action on advanced hunting query results **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 5e96430994..5fe6c98c25 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -5,7 +5,7 @@ description: View and manage the alerts surfaced in Microsoft Defender Security keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,17 +14,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/03/2018 +ms.technology: mde --- # Alerts queue in Microsoft Defender Security Center [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. ## In this section Topic | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index e403e8465c..8978316dd4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -4,7 +4,7 @@ description: Learn about how the Microsoft Defender ATP alerts queues work, and keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 03/27/2020 +ms.technology: mde --- # View and organize the Microsoft Defender for Endpoint Alerts queue [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) @@ -80,24 +80,24 @@ We've redefined the alert categories to align to the [enterprise attack tactics] The table below lists the current categories and how they generally map to previous categories. -| New category | Previous categories | Detected threat activity or component | -|----------------------|----------------------|-------------| -| Collection | - | Locating and collecting data for exfiltration | -| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | -| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network | -| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | -| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | -| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors | -| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | -| Exploit | Exploit | Exploit code and possible exploitation activity | -| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | -| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence | -| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code | -| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | -| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | -| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | -| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack | -| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | +| New category | API category name | Detected threat activity or component | +|----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| Collection | Collection | Locating and collecting data for exfiltration | +| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | +| Credential access | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network | +| Defense evasion | DefenseEvasion | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | +| Discovery | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | +| Execution | Execution | Launching attacker tools and malicious code, including RATs and backdoors | +| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | +| Exploit | Exploit | Exploit code and possible exploitation activity | +| Initial access | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | +| Lateral movement | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence | +| Malware | Malware | Backdoors, trojans, and other types of malicious code | +| Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | +| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | +| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | +| Suspicious activity | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack | +| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | ### Status @@ -123,6 +123,22 @@ Select the source that triggered the alert detection. Microsoft Threat Experts p >[!NOTE] >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. +| Detection source | API value | +|-----------------------------------|----------------------------| +| 3rd party sensors | ThirdPartySensors | +| Antivirus | WindowsDefenderAv | +| Automated investigation | AutomatedInvestigation | +| Custom detection | CustomDetection | +| Custom TI | CustomerTI | +| EDR | WindowsDefenderAtp | +| Microsoft 365 Defender | MTP | +| Microsoft Defender for Office 365 | OfficeATP | +| Microsoft Threat Experts | ThreatExperts | +| SmartScreen | WindowsDefenderSmartScreen | + + + + ### OS platform diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index eaa7c56c2f..16357997f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -3,7 +3,7 @@ title: Get alerts API description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,16 +14,22 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Alert resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -**Applies to:** [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Methods @@ -31,7 +37,8 @@ Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. -[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md). +[Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md). +[Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md). [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. [List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). @@ -63,45 +70,145 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. +threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. -comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. +detectorId | String | The ID of the detector that triggered the alert. +comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time. +Evidence | List of Alert evidence | Evidence related to the alert. See example below. ### Response example for getting single alert: -``` -GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 +```http +GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` ```json { - "id": "da637084217856368682_-292920499", - "incidentId": 66860, - "investigationId": 4416234, - "investigationState": "Running", - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "New", - "classification": "TruePositive", - "determination": null, - "detectionSource": "WindowsDefenderAtp", - "category": "CommandAndControl", - "threatFamilyName": null, - "title": "Network connection to a risky host", - "description": "A network connection was made to a risky host which has exhibited malicious activity.", - "alertCreationTime": "2019-11-03T23:49:45.3823185Z", - "firstEventTime": "2019-11-03T23:47:16.2288822Z", - "lastEventTime": "2019-11-03T23:47:51.2966758Z", - "lastUpdateTime": "2019-11-03T23:55:52.6Z", - "resolvedTime": null, - "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", - "comments": [ - { - "comment": "test comment for docs", - "createdBy": "secop@contoso.com", - "createdTime": "2019-11-05T14:08:37.8404534Z" - } - ] + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, + "assignedTo": null, + "severity": "Low", + "status": "New", + "classification": null, + "determination": null, + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "resolvedTime": null, + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], + "relatedUser": { + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], + "evidence": [ + { + "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": null, + "sha256": null, + "fileName": null, + "filePath": null, + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index f9f5d899e6..dfc9c405e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -1,11 +1,11 @@ --- title: Configure Microsoft Defender ATP for Android features -ms.reviewer: -description: Describes how to configure Microsoft Defender ATP for Android +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure Defender for Endpoint for Android features @@ -25,8 +26,8 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - -- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ## Conditional Access with Defender for Endpoint for Android Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index ddba7d596d..89f8619d4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Android with Microsoft Intune -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,21 +15,24 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Defender for Endpoint](microsoft-defender-atp-android.md) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This topic describes deploying Defender for Endpoint for Android on Intune + +Learn how to deploy Defender for Endpoint for Android on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal). @@ -44,42 +47,42 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co **Deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices** -This topic describes how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. +Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. ### Add as Android store app 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> -**Android Apps** \> **Add \> Android store app** and click **Select**. - - ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addandroidstoreapp.png) +**Android Apps** \> **Add \> Android store app** and choose **Select**. + ![Image of Microsoft Endpoint Manager Admin Center add android store application](images/mda-addandroidstoreapp.png) 2. On the **Add app** page and in the *App Information* section enter: - **Name** - **Description** - **Publisher** as Microsoft. - - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) + - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) Other fields are optional. Select **Next**. - ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png) + ![Image of Microsoft Endpoint Manager Admin Center add app info](images/mda-addappinfo.png) -3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Click **Select** and then **Next**. +3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**. >[!NOTE] >The selected user group should consist of Intune enrolled users. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png) + + > ![Image of the Microsoft Endpoint Manager Admin Center selected user groups](images/363bf30f7d69a94db578e8af0ddd044b.png) 4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page. - ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png) + ![Image of Microsoft Endpoint Manager Admin Center notification of defender endpoint app](images/86cbe56f88bb6e93e9c63303397fc24f.png) 5. In the app information page that is displayed, in the **Monitor** section, @@ -87,7 +90,7 @@ select **Device install status** to verify that the device installation has completed successfully. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png) + > ![Image of Microsoft Endpoint Manager Admin Center device install](images/513cf5d59eaaef5d2b5bc122715b5844.png) ### Complete onboarding and check status @@ -109,10 +112,9 @@ list in Microsoft Defender Security Center. Defender for Endpoint for Android supports Android Enterprise enrolled devices. For more information on the enrollment options supported by Intune, see -[Enrollment -Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) . +[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll). -Currently only Personal devices with Work Profile enrolled are supported for deployment. +**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.** @@ -125,14 +127,13 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add** and select **Managed Google Play app**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png) - + > ![Image of Microsoft Endpoint Manager admin center managed google play](images/579ff59f31f599414cedf63051628b2e.png) 2. On your managed Google Play page that loads subsequently, go to the search box and lookup **Microsoft Defender.** Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result. - ![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png) + ![Image of Microsoft Endpoint Manager admin center Apps search](images/0f79cb37900b57c3e2bb0effad1c19cb.png) 3. In the App description page that comes up next, you should be able to see app details on Defender for Endpoint. Review the information on the page and then @@ -142,7 +143,7 @@ select **Approve**. > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) -4. You should now be presented with the permissions that Defender for Endpoint +4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select **Approve**. ![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) @@ -182,7 +183,7 @@ Defender ATP should be visible in the apps list. 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. - ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png) + ![Image of Microsoft Endpoint Manager admin center android managed devices](images/android-mem.png) 1. In the **Create app configuration policy** page, enter the following details: @@ -202,27 +203,27 @@ Defender ATP should be visible in the apps list. Then select **OK**. > [!div class="mx-imgBorder"] - > ![Image of create app configuration policy](images/android-create-app-config.png) + > ![Image of android create app configuration policy](images/android-create-app-config.png) 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of create app configuration policy](images/android-auto-grant.png) + > ![Image of android auto grant create app configuration policy](images/android-auto-grant.png) 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. > [!div class="mx-imgBorder"] - > ![Image of create app configuration policy](images/android-select-group.png) + > ![Image of the create app configuration policy](images/android-select-group.png) 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
      - The app configuration policy for Defender for Endpoint auto-granting the storage permission is now assigned to the selected user group. + The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group. > [!div class="mx-imgBorder"] - > ![Image of create app configuration policy](images/android-review-create.png) + > ![Image of android review create app config policy](images/android-review-create.png) 10. Select **Microsoft Defender ATP** app in the list \> **Properties** \> @@ -244,6 +245,45 @@ the *Required* section \> **Add group,** selecting the user group and click above. Then select **Review + Save** and then **Save** again to commence assignment. +### Auto Setup of Always-on VPN +Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding. +1. On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise** +Select **Device restrictions** under one of the following, based on your device enrollment type +- **Fully Managed, Dedicated, and Corporate-Owned Work Profile** +- **Personally owned Work Profile** + +Select **Create**. + + > ![Image of devices configuration profile Create](images/1autosetupofvpn.png) + +2. **Configuration Settings** + Provide a **Name** and a **Description** to uniquely identify the configuration profile. + + > ![Image of devices configuration profile Name and Description](images/2autosetupofvpn.png) + + 3. Select **Connectivity** and configure VPN: +- Enable **Always-on VPN** +Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. +- Select **Custom** in VPN client dropdown list +Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. + > [!NOTE] + > Microsoft Defender ATP app must be installed on user’s device, in order to functioning of auto setup of this VPN. + +- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx** +- **Lockdown mode** Not configured (Default) + + ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png) + +4. **Assignment** +In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups** to include and selecting the applicable group and then click **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. + + ![Image of devices configuration profile Assignment](images/4autosetupofvpn.png) + +5. In the **Review + Create** page that comes up next, review all the information and then select **Create**. +The device configuration profile is now assigned to the selected user group. + + ![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png) + ## Complete onboarding and check status 1. Confirm the installation status of Microsoft Defender for Endpoint for Android by @@ -254,8 +294,7 @@ displayed here. > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) -2. On the device, you can confirm the same by going to the **work profile** and -confirm that Defender for Endpoint is available. +2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available. ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md index 66ec2fa838..10ddc13de9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md @@ -4,7 +4,7 @@ description: Privacy controls, how to configure policy settings that impact priv keywords: microsoft, defender, atp, android, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,15 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint for Android - Privacy information **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Defender for Endpoint for Android collects information from your configured diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md index 34959bf022..f301f7ead9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md @@ -1,11 +1,11 @@ --- title: Troubleshoot issues on Microsoft Defender ATP for Android -ms.reviewer: +ms.reviewer: description: Troubleshoot issues for Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, cloud, connectivity, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,23 +15,29 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshooting issues on Microsoft Defender for Endpoint for Android [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +When onboarding a device, you might see sign in issues after the app is installed. -- [Defender for Endpoint](microsoft-defender-atp-android.md) During onboarding, you might encounter sign in issues after the app is installed on your device. -This article provides solutions to address the sign on issues. +This article provides solutions to help address the sign-on issues. ## Sign in failed - unexpected error **Sign in failed:** *Unexpected error, try later* @@ -63,29 +69,28 @@ from Google Play Store and try again **Cause:** -You do not have Microsoft 365 license assigned, or your organization does not -have a license for Microsoft 365 Enterprise subscription. +You do not have Microsoft 365 license assigned, or your organization does not have a license for Microsoft 365 Enterprise subscription. **Solution:** Contact your administrator for help. -## Phishing pages are not blocked on specific OEM devices +## Phishing pages aren't blocked on some OEM devices **Applies to:** Specific OEMs only - **Xiaomi** -Phishing and harmful web connection threats detected by Defender for Endpoint -for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices. +Phishing and harmful web threats that are detected by Defender for Endpoint +for Android are not blocked on some Xiaomi devices. The following functionality doesn't work on these devices. ![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png) **Cause:** -Xiaomi devices introduced a new permission that prevents Defender for Endpoint -for Android app from displaying pop-up windows while running in the background. +Xiaomi devices include a new permission model. This prevents Defender for Endpoint +for Android from displaying pop-up windows while it runs in the background. Xiaomi devices permission: "Display pop-up windows while running in the background." diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md index d80fdbbc7f..1ab039d371 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Android Application license terms -ms.reviewer: +ms.reviewer: description: Describes the Microsoft Defender ATP for Android license terms -keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, +keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,6 +17,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual hideEdit: true +ms.technology: mde --- # Microsoft Defender for Endpoint for Android application license terms @@ -24,8 +25,11 @@ hideEdit: true [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- [Microsoft Defender for Endpoint](microsoft-defender-atp-android.md) ## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT @@ -55,9 +59,9 @@ DO NOT USE THE APPLICATION.** of this application on Android enabled device or devices that you own or control. You may use this application with your company's valid subscription of Microsoft Defender for Endpoint or - an online service that includes MDATP functionalities. + an online service that includes Microsoft Defender for Endpoint functionalities. - 2. **Updates.** Updates or upgrades to MDATP may be required for full + 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries. 3. **Third-Party Programs.** The application may include third-party diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index c75879bafc..cadef87218 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -1,11 +1,11 @@ --- -title: API Explorer in Microsoft Defender ATP +title: API Explorer in Microsoft Defender ATP ms.reviewer: description: Use the API Explorer to construct and do API queries, test, and send requests for any available API -keywords: api, explorer, send, request, get, post, +keywords: api, explorer, send, request, get, post, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,18 +14,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # API Explorer [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index 0dfd7bfce2..7793136a50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -4,7 +4,7 @@ ms.reviewer: description: Create a practice 'Hello world'-style API call to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint API - Hello World @@ -22,10 +23,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + ## Get Alerts using a simple PowerShell script @@ -53,11 +60,11 @@ For the Application registration stage, you must have a **Global administrator** - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![Image of API access and API selection1](images/add-permission.png) - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions** - ![Image of API access and API selection](images/application-permissions.png) + ![Image of API access and API selection2](images/application-permissions.png) **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example! @@ -103,8 +110,8 @@ $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here $appSecret = '' ### Paste your Application secret here -$resourceAppIdUri = 'https://api.securitycenter.windows.com' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$resourceAppIdUri = 'https://api.securitycenter.microsoft.com' +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -142,7 +149,7 @@ $dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o") # The URL contains the type of query and the time filter we create above # Read more about other query options and filters at Https://TBD- add the documentation link -$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime" +$url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime" # Set the WebRequest headers $headers = @{ diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index 95525bbf97..b5b277ed3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant. keywords: flow, supported apis, api, Microsoft flow, query, automation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,24 +13,31 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes. Microsoft Defender API has an official Flow Connector with many capabilities. -![Image of edit credentials](images/api-flow-0.png) +![Image of edit credentials1](images/api-flow-0.png) + +> [!NOTE] +> For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](https://docs.microsoft.com/power-automate/triggers-introduction#licensing-for-premium-connectors). + ## Usage example @@ -40,15 +47,15 @@ The following example demonstrates how to create a Flow that is triggered any ti 2. Go to **My flows** > **New** > **Automated-from blank**. - ![Image of edit credentials](images/api-flow-1.png) + ![Image of edit credentials2](images/api-flow-1.png) 3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger. - ![Image of edit credentials](images/api-flow-2.png) + ![Image of edit credentials3](images/api-flow-2.png) Now you have a Flow that is triggered every time a new Alert occurs. -![Image of edit credentials](images/api-flow-3.png) +![Image of edit credentials4](images/api-flow-3.png) All you need to do now is choose your next steps. For example, you can isolate the device if the Severity of the Alert is High and send an email about it. @@ -62,7 +69,7 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the 3. Set the **Alert ID** from the last step as **Input**. - ![Image of edit credentials](images/api-flow-4.png) + ![Image of edit credentials5](images/api-flow-4.png) ### Isolate the device if the Alert's severity is High @@ -72,7 +79,7 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment. - ![Image of edit credentials](images/api-flow-5.png) + ![Image of edit credentials6](images/api-flow-5.png) 3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 2170d310c0..91c6a65e75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -4,7 +4,7 @@ description: Understand how the Detections API fields map to the values in Micro keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint detections API fields [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) @@ -85,9 +85,9 @@ Field numbers match the numbers in the images below. ![Image of alert details pane with numbers](images/atp-siem-mapping13.png) -![Image of artifact timeline with numbers](images/atp-siem-mapping3.png) +![Image of artifact timeline with numbers1](images/atp-siem-mapping3.png) -![Image of artifact timeline with numbers](images/atp-siem-mapping4.png) +![Image of artifact timeline with numbers2](images/atp-siem-mapping4.png) ![Image machine view](images/atp-mapping6.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index 605b0f511a..e77e799097 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -4,7 +4,7 @@ ms.reviewer: description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. keywords: apis, supported apis, Power BI, reports search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create custom reports using Power BI [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] In this section you will learn create a Power BI report on top of Defender for Endpoint APIs. @@ -46,9 +53,9 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a ``` let - AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'", + AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20", - HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries", + HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries", Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])), @@ -87,17 +94,17 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a - Click **Edit Credentials** - ![Image of edit credentials](images/power-bi-edit-credentials.png) + ![Image of edit credentials0](images/power-bi-edit-credentials.png) - Select **Organizational account** > **Sign in** - ![Image of set credentials](images/power-bi-set-credentials-organizational.png) + ![Image of set credentials1](images/power-bi-set-credentials-organizational.png) - Enter your credentials and wait to be signed in - Click **Connect** - ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) + ![Image of set credentials2](images/power-bi-set-credentials-organizational-cont.png) - Now the results of your query will appear as table and you can start build visualizations on top of it! @@ -114,7 +121,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a Query = "MachineActions", - Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) + Source = OData.Feed("https://api.securitycenter.microsoft.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) in Source diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md new file mode 100644 index 0000000000..b46d84553b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -0,0 +1,73 @@ +--- +title: Microsoft Defender for Endpoint API release notes +description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs. +keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Microsoft Defender for Endpoint API release notes + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made. + + +### 25.01.2021 +

      + +- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute. + +
      + +### 21.01.2021 +
      + +- Added new API: [Find devices by tag](machine-tags.md). +- Added new API: [Import Indicators](import-ti-indicators.md). + +
      + +### 03.01.2021 +
      + +- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. +- Updated [Alert entity](alerts.md): added ***detectorId*** property. + +
      + +### 15.12.2020 +
      + +- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md). + +
      + +### 04.11.2020 +
      + +- Added new API: [Set device value](set-device-value.md). +- Updated [Device](machine.md) entity: added ***deviceValue*** property. + +
      + +### 01.09.2020 +
      + +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md). + +
      +
      \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index 9c8c96f2ea..362d381ce7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -3,7 +3,7 @@ title: Microsoft Defender ATP API license and terms of use description: Description of the license and terms of use for Microsoft Defender APIs keywords: license, terms, apis, legal, notices, code of conduct search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,14 +12,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint API license and terms of use [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ## APIs diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index c105db89bb..1983cf9886 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -1,10 +1,10 @@ --- -title: Access the Microsoft Defender Advanced Threat Protection APIs +title: Access the Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Access the Microsoft Defender for Endpoint APIs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + -> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index a8bf456da1..5efaab6c51 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -4,7 +4,7 @@ description: Assign read and write or read only access to the Microsoft Defender keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/28/2018 +ms.technology: mde --- # Assign user access to Microsoft Defender Security Center @@ -27,6 +28,8 @@ ms.date: 11/28/2018 - Azure Active Directory - Office 365 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 74cc0538fb..047eae7fed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -4,7 +4,7 @@ description: Run the provided attack scenario simulations to experience how Micr keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/20/2018 +ms.technology: mde --- # Experience Microsoft Defender for Endpoint through simulated attacks [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index b3a31baf6d..da9a3daa46 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -4,7 +4,7 @@ description: Find answers to frequently asked questions about Microsoft Defender keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,20 +14,21 @@ ms.author: v-maave ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Attack surface reduction frequently asked questions (FAQ) [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Is attack surface reduction (ASR) part of Windows? -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. ## Do I need to have an enterprise license to run ASR rules? @@ -43,7 +44,7 @@ Yes. ASR is supported for Windows Enterprise E3 and above. All of the rules supported with E3 are also supported with E5. -E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. +E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide&preserve-view=true#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. ## What are the currently supported ASR rules? @@ -77,7 +78,7 @@ Keep the rule in audit mode for about 30 days to get a good baseline for how the ## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR? -In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities. @@ -127,7 +128,7 @@ Because many legitimate processes throughout a typical day will be calling on ls Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. -## Related topics +## See also * [Attack surface reduction overview](attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index d2c6d68716..7e26356956 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware. keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,47 +14,105 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 10/08/2020 +ms.technology: mde + --- -# Reduce attack surfaces with attack surface reduction rules +# Use attack surface reduction rules to prevent malware infection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. -Attack surface reduction rules target software behaviors that are often abused by attackers, such as: +## Why attack surface reduction rules are important -- Launching executable files and scripts that attempt to download or run files -- Running obfuscated or otherwise suspicious scripts -- Performing behaviors that apps don't usually initiate during normal day-to-day work +Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help! -Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. +Attack surface reduction rules target certain software behaviors, such as: -Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +- Launching executable files and scripts that attempt to download or run files; +- Running obfuscated or otherwise suspicious scripts; and +- Performing behaviors that apps don't usually initiate during normal day-to-day work. -Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. +Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +## Assess rule impact before deployment + +You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). + +:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule"::: + +In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity. + +## Audit mode for evaluation + +Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity. + +## Warn mode for users + +(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. + +Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. + +### Requirements for warn mode to work + +Warn mode is supported on devices running the following versions of Windows: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). + +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. +- Minimum platform release requirement: `4.18.2008.9` +- Minimum engine release requirement: `1.1.17400.5` + +For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). + +### Cases where warn mode is not supported + +Warn mode is not supported for the following attack surface reduction rules: + +- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) +- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) +- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) + +In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode. + +## Notifications and alerts + +Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. + +In addition, when certain attack surface reduction rules are triggered, alerts are generated. + +Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). + +## Advanced hunting and attack surface reduction events + +You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour. + +For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM. + +For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). + ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center -Defender for Endpoint provides detailed reporting for events and blocks, as part of its alert investigation scenarios. +Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios. You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. @@ -70,19 +128,15 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. - 3. Under **Actions**, select **Import custom view...**. - 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. -This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: +You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: |Event ID | Description | -|---|---| +|:---|:---| |5007 | Event when settings are changed | |1121 | Event when rule fires in Block-mode | |1122 | Event when rule fires in Audit-mode | @@ -91,25 +145,84 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. + +If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs. + | Rule name | GUID | File & folder exclusions | Minimum OS supported | -|-----|----|---|---| -|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|:-----|:-----:|:-----|:-----| +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | +|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + +### Block Adobe Reader from creating child processes + +This rule prevents attacks by blocking Adobe Reader from creating processes. + +Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: `Process creation from Adobe Reader (beta)` + +Configuration Manager name: Not yet available + +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` + +### Block all Office applications from creating child processes + +This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. + +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Office apps launching child processes` + +Configuration Manager name: `Block Office application from creating child processes` + +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` + +### Block credential stealing from the Windows local security authority subsystem + +This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). + +LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. + +> [!NOTE] +> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Flag credential stealing from the Windows local security authority subsystem` + +Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem` + +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block executable content from email client and webmail @@ -122,37 +235,86 @@ This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) +- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)` -Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail +Microsoft Endpoint Manager name: `Block executable content from email client and webmail` GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` -### Block all Office applications from creating child processes +> [!NOTE] +> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: +> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). +> - Endpoint Manager: Block executable content download from email and webmail clients. +> - Group Policy: Block executable content from email client and webmail. -This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. +This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: + +- Executable files (such as .exe, .dll, or .scr) + +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. + +> [!IMPORTANT] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

      The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly. +> +>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria` + +Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria` + +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` + +### Block execution of potentially obfuscated scripts + +This rule detects suspicious properties within an obfuscated script. + +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. + +This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps launching child processes +Intune name: `Obfuscated js/vbs/ps/macro code` -Configuration Manager name: Block Office application from creating child processes +Configuration Manager name: `Block execution of potentially obfuscated scripts` -GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` + +### Block JavaScript or VBScript from launching downloaded executable content + +This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. + +Although not common, line-of-business applications sometimes use scripts to download and launch installers. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)` + +Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content` + +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. +Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) @@ -160,9 +322,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) -Intune name: Office apps/macros creating executable content +Intune name: `Office apps/macros creating executable content` -SCCM name: Block Office applications from creating executable content +SCCM name: `Block Office applications from creating executable content` GUID: `3B576869-A4EC-4529-8536-B80A7769E899` @@ -182,130 +344,50 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps injecting code into other processes (no exceptions) +Intune name: `Office apps injecting code into other processes (no exceptions)` -Configuration Manager name: Block Office applications from injecting code into other processes +Configuration Manager name: `Block Office applications from injecting code into other processes` GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` -### Block JavaScript or VBScript from launching downloaded executable content +### Block Office communication application from creating child processes -This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. +This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. -Although not common, line-of-business applications sometimes use scripts to download and launch installers. +This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +> [!NOTE] +> This rule applies to Outlook and Outlook.com only. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) +Intune name: `Process creation from Office communication products (beta)` -Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content +Configuration Manager name: Not available -GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` +GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` -### Block execution of potentially obfuscated scripts +### Block persistence through WMI event subscription -This rule detects suspicious properties within an obfuscated script. - -Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Obfuscated js/vbs/ps/macro code - -Configuration Manager name: Block execution of potentially obfuscated scripts. - -GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` - -### Block Win32 API calls from Office macros - -This rule prevents VBA macros from calling Win32 APIs. - -Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Win32 imports from Office macro code - -Configuration Manager name: Block Win32 API calls from Office macros - -GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` - -### Block executable files from running unless they meet a prevalence, age, or trusted list criterion - -This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: - -- Executable files (such as .exe, .dll, or .scr) - -Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. +This rule prevents malware from abusing WMI to attain persistence on a device. > [!IMPORTANT] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

      The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. -> ->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. +> File and folder exclusions don't apply to this attack surface reduction rule. + +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) +- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) +- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. +Intune name: Not available -Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +Configuration Manager name: Not available -GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` - -### Use advanced protection against ransomware - -This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. - -> [!NOTE] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Advanced ransomware protection - -Configuration Manager name: Use advanced protection against ransomware - -GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` - -### Block credential stealing from the Windows local security authority subsystem - -This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). - -LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. - -> [!NOTE] -> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Flag credential stealing from the Windows local security authority subsystem - -Configuration Manager name: Block credential stealing from the Windows local security authority subsystem - -GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` +GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` ### Block process creations originating from PSExec and WMI commands @@ -319,7 +401,7 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from PSExec and WMI commands +Intune name: `Process creation from PSExec and WMI commands` Configuration Manager name: Not applicable @@ -335,74 +417,52 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Untrusted and unsigned processes that run from USB +Intune name: `Untrusted and unsigned processes that run from USB` -Configuration Manager name: Block untrusted and unsigned processes that run from USB +Configuration Manager name: `Block untrusted and unsigned processes that run from USB` GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` -### Block Office communication application from creating child processes +### Block Win32 API calls from Office macros -This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. +This rule prevents VBA macros from calling Win32 APIs. -This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Win32 imports from Office macro code` + +Configuration Manager name: `Block Win32 API calls from Office macros` + +GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` + +### Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. > [!NOTE] -> This rule applies to Outlook and Outlook.com only. +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Process creation from Office communication products (beta) +Intune name: `Advanced ransomware protection` -Configuration Manager name: Not yet available +Configuration Manager name: `Use advanced protection against ransomware` -GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` +GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` -### Block Adobe Reader from creating child processes - -This rule prevents attacks by blocking Adobe Reader from creating additional processes. - -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Adobe Reader (beta) - -Configuration Manager name: Not yet available - -GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - -### Block persistence through WMI event subscription - -This rule prevents malware from abusing WMI to attain persistence on a device. - -> [!IMPORTANT] -> File and folder exclusions don't apply to this attack surface reduction rule. - -Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. - -This rule was introduced in: -- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) -- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) - -Intune name: Not yet available - -Configuration Manager name: Not yet available - -GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` - -## Related topics +## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - -- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index b442dcb82a..e851516dcb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -1,9 +1,9 @@ --- -title: Test how Microsoft Defender ATP features work in audit mode -description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled. +title: Test how Microsoft Defender for Endpoint features work in audit mode +description: Audit mode helps you see how Microsoft Defender for Endpoint would protect your devices if it was enabled. keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,20 +13,21 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Test how Microsoft Defender for Endpoint features work in audit mode [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature. -You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time. +You may want to enable audit mode when testing how the features will work in your organization. This will help make sure your line-of-business apps aren't affected. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time. The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled. @@ -34,19 +35,17 @@ To find the audited entries, go to **Applications and Services** > **Microsoft** You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. - You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - Audit options | How to enable audit mode | How to view events --|-|- -Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) -Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) -|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer) + **Audit options** | **How to enable audit mode** | **How to view events** +|---------|---------|---------| +| Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) +| Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) +| Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) +| Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index 0a77813dd2..f4a000c3eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -1,9 +1,9 @@ --- -title: View details and results of automated investigations +title: Visit the Action center to see remediation actions description: Use the action center to view details and results following an automated investigation keywords: action, center, autoir, automated, investigation, response, remediation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,159 +13,77 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: article +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: how-to ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs -ms.date: 09/24/2020 +ms.date: 01/28/2021 +ms.technology: mde --- -# View details and results of automated investigations +# Visit the Action center to see remediation actions -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center**. -During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. +## (NEW!) A unified Action center ->[!NOTE] ->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation. -## The Action center +We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))! -![Action center page](images/action-center.png) +:::image type="content" source="images/mde-action-center-unified.png" alt-text="Action center in Microsoft 365 security center"::: -The action center consists of two main tabs: **Pending actions** and **History**. -- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). -- **History** Acts as an audit log for all of the following items:
      - - Remediation actions that were taken as a result of an automated investigation - - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) - - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone) - - Remediation actions that were applied by Microsoft Defender Antivirus (some actions can be undone) +The following table compares the new, unified Action center to the previous Action center. -Use the **Customize columns** menu to select columns that you'd like to show or hide. - -You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. - -## The Investigations page - -![Image of Auto investigations page](images/atp-auto-investigations-list.png) - -On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation. - -By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. - -Use the **Customize columns** menu to select columns that you'd like to show or hide. - -From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. - -### Filters for the list of investigations - -On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters: - -|Filter |Description | +|The new, unified Action center |The previous Action center | |---------|---------| -|**Status** |(See [Automated investigation status](#automated-investigation-status)) | -|**Triggering alert** | The alert that initiated the automated investigation | -|**Detection source** |The source of the alert that initiated the automated investigation | -|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. | -|**Threat** |The category of threat detected during the automated investigation | -|**Tags** |Filter using manually added tags that capture the context of an automated investigation| -|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't| +|Lists pending and completed actions for devices and email in one location
      ([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) plus [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices
      ([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) only) | +|Is located at:
      [https://security.microsoft.com/action-center](https://security.microsoft.com/action-center) |Is located at:
      [https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center) | +| In the Microsoft 365 security center, choose **Action center**.

      :::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 security center"::: | In the Microsoft Defender Security Center, choose **Automated investigations** > **Action center**.

      :::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft Defender Security Center"::: | -## Automated investigation status +The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. -An automated investigation can have one of the following status values: +You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions: +- [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) +- [Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) +- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) -|Status |Description | +> [!TIP] +> To learn more, see [Requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites). + +## Using the Action center + +To get to the unified Action center in the improved Microsoft 365 security center: +1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. +2. In the navigation pane, select **Action center**. + +When you visit the Action center, you see two tabs: **Pending actions** and **History**. The following table summarizes what you'll see on each tab: + +|Tab |Description | |---------|---------| -| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. | -| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. | -| No threats found | The investigation has finished and no threats were identified.
      If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). | -| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. | -| Remediated | The investigation finished and all actions were approved (fully remediated). | -| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. | -| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
      - The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
      - There are too many actions in the list.
      Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. | -| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.

      If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. | -| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. | -| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. | -| Terminated by user | A user stopped the investigation before it could complete. | +|**Pending** | Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as **Quarantine file**).
      **TIP**: Make sure to [review and approve (or reject) pending actions](manage-auto-investigation.md) as soon as possible so that your automated investigations can complete in a timely manner. | +|**History** | Serves as an audit log for actions that were taken, such as:
      - Remediation actions that were taken as a result of automated investigations
      - Remediation actions that were approved by your security operations team
      - Commands that were run and remediation actions that were applied during Live Response sessions
      - Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus

      Provides a way to undo certain actions (see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions)). | +You can customize, sort, filter, and export data in the Action center. -## View details about an automated investigation +:::image type="content" source="images/new-action-center-columnsfilters.png" alt-text="Columns and filters in the Action center"::: -![Image of investigation details window](images/atp-analyze-auto-ir.png) - -You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information. - -In this view, you'll see the name of the investigation, when it started and ended. - -### Investigation graph - -The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. - -A progress ring shows two status indicators: -- Orange ring - shows the pending portion of the investigation -- Green ring - shows the running time portion of the investigation - -![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) - -In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. - -The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. - -From this view, you can also view and add comments and tags about the investigation. - -### Alerts - -The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. - -Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing. - -Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history. - -Clicking on an alert title brings you the alert page. - -### Devices - -The **Devices** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. - -Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. - -Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users. - -Clicking on a device name brings you the device page. - -### Evidence - -The **Evidence** tab shows details related to threats associated with this investigation. - -### Entities - -The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found. - -### Log - -The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. - -As with other sections, you can customize columns, select the number of items to show per page, and filter the log. - -Available filters include action type, action, status, device name, and description. - -You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. - -### Pending actions - -If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. - -![Image of pending actions](images/pending-actions.png) - -When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. +- Select a column heading to sort items in ascending or descending order. +- Use the time period filter to view data for the past day, week, 30 days, or 6 months. +- Choose the columns that you want to view. +- Specify how many items to include on each page of data. +- Use filters to view just the items you want to see. +- Select **Export** to export results to a .csv file. ## Next steps - [View and approve remediation actions](manage-auto-investigation.md) - - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md b/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md new file mode 100644 index 0000000000..dfde5d03b9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md @@ -0,0 +1,94 @@ +--- +title: Details and results of an automated investigation +description: During and after an automated investigation, you can view the results and key findings +keywords: automated, investigation, results, analyze, details, remediation, autoair +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: +- NOCSH +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365initiative-m365-defender +ms.topic: conceptual +ms.custom: autoir +ms.reviewer: evaldm, isco +ms.date: 02/02/2021 +--- + +# Details and results of an automated investigation + +**Applies to:** +- Microsoft Defender for Endpoint + +With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions. + +## (NEW!) Unified investigation page + +The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp). + +> [!TIP] +> To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results). + +## Open the investigation details view + +You can open the investigation details view by using one of the following methods: +- [Select an item in the Action center](#select-an-item-in-the-action-center) +- [Select an investigation from an incident details page](#open-an-investigation-from-an-incident-details-page) + +### Select an item in the Action center + +The improved [Action center](auto-investigation-action-center.md) brings together [remediation actions](manage-auto-investigation.md#remediation-actions) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page. + +1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. +2. In the navigation pane, choose **Action center**. +3. On either the **Pending** or **History** tab, select an item. Its flyout pane opens. +4. Review the information in the flyout pane, and then take one of the following steps: + - Select **Open investigation page** to view more details about the investigation. + - Select **Approve** to initiate a pending action. + - Select **Reject** to prevent a pending action from being taken. + - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md). + +### Open an investigation from an incident details page + +Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes. + +1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. +2. In the navigation pane, choose **Incidents & alerts** > **Incidents**. +3. Select an item in the list, and then choose **Open incident page**. +4. Select the **Investigations** tab, and then select an investigation in the list. Its flyout pane opens. +5. Select **Open investigation page**. + +## Investigation details + +Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image: + +In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table. + +> [!NOTE] +> The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab. + +| Tab | Description | +|:--------|:--------| +| **Investigation graph** | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.
      You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts. | +| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.| +| **Devices** | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the [automation level for device groups](automation-levels.md).) | +| **Mailboxes** |Lists mailboxes that are impacted by detected threats. | +| **Users** | Lists user accounts that are impacted by detected threats. | +| **Evidence** | Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status. | +| **Entities** | Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).| +|**Log** | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.| +| **Pending actions** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. | + +## See also + +- [Review remediation actions following an automated investigation](manage-auto-investigation.md) +- [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 42a409f78e..ab8f4e0d15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -1,24 +1,24 @@ --- title: Use automated investigations to investigate and remediate threats description: Understand the automated investigation flow in Microsoft Defender for Endpoint. -keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp +keywords: automated, investigation, detection, defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 10/21/2020 +ms.date: 02/02/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: how-to ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.custom: AIR --- @@ -27,48 +27,30 @@ ms.custom: AIR [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. - -Watch the following video to see how automated investigation and remediation works: +Want to see how it works? Watch the following video:

      > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh] -Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions. +The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed. + +This article provides an overview of AIR and includes links to next steps and additional resources. > [!TIP] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink). ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. +An automated investigation can start when an alert is triggered or when a security operator initiates the investigation. ->[!NOTE] ->Currently, automated investigation only supports the following OS versions: ->- Windows Server 2019 ->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later ->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later ->- Later versions of Windows 10 - -## Details of an automated investigation - -During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. - -|Tab |Description | -|--|--| -|**Alerts**| The alert(s) that started the investigation.| -|**Devices** |The device(s) where the threat was seen.| -|**Evidence** |The entities that were found to be malicious during an investigation.| -|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | -|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.| -|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. | - -> [!IMPORTANT] -> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. +|Situation |What happens | +|---------|---------| +|An alert is triggered | In general, an automated investigation starts when an [alert](review-alerts.md) is triggered, and an [incident](view-incidents-queue.md) is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation. | +|An investigation is started manually | An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select **Initiate Automated Investigation**. | ## How an automated investigation expands its scope @@ -78,24 +60,39 @@ If an incriminated entity is seen in another device, the automated investigation ## How threats are remediated -As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. +As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be +- *Malicious*; +- *Suspicious*; or +- *No threats found*. -As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).) +As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see [Remediation actions](manage-auto-investigation.md#remediation-actions). -Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. +Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA). -All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) +All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). If necessary, your security operations team can undo a remediation action. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). + +> [!TIP] +> Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results.md#new-unified-investigation-page). + + +## Requirements for AIR + +Your organization must have Defender for Endpoint (see [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)). + +Currently, AIR only supports the following OS versions: +- Windows Server 2019 +- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later +- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later +- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later ## Next steps -- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md) - - [Learn more about automation levels](automation-levels.md) - - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md) ## See also +- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - -- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) +- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md index 9fa9ebd762..d0ace26d8c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md @@ -4,8 +4,8 @@ description: Get an overview of automation levels and how they work in Microsoft keywords: automated, investigation, level, defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,8 +16,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.custom: AIR @@ -25,6 +25,10 @@ ms.custom: AIR # Automation levels in automated investigation and remediation capabilities +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval. - *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index fed2ad3911..f543ecb8a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -4,7 +4,7 @@ description: Learn how to use basic permissions to access the Microsoft Defender keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use basic permissions to access the portal @@ -22,32 +23,36 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - - Azure Active Directory - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) -Refer to the instructions below to use basic permissions management. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) + +Refer to the instructions below to use basic permissions management. You can use either of the following solutions: - Azure PowerShell -- Azure portal +- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell + You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read-only access ### Before you begin + - Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
      > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). + +- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0&preserve-view=true). **Full access**
      Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. @@ -61,19 +66,23 @@ Assigning read-only access rights requires adding the users to the "Security Rea Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: - ```text + + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` + - For **read-only** access, assign users to the security reader role by using the following command: - ```text + + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic + - [Manage portal access using RBAC](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md new file mode 100644 index 0000000000..2b93144552 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md @@ -0,0 +1,108 @@ +--- +title: Batch Update alert entities API +description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Batch update alerts + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Updates properties of a batch of existing [Alerts](alerts.md). +
      Submission of **comment** is available with or without updating properties. +
      Updatable properties are: `status`, `determination`, `classification` and `assignedTo`. + + +## Limitations +1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information. +2. Rate limitations for this API are 10 calls per minute and 500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) + +## HTTP request +```http +POST /api/alerts/batchUpdate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts. +
      Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. +
      For best performance you shouldn't include existing values that haven't changed. + +Property | Type | Description +:---|:---|:--- +alertIds | List<String>| A list of the IDs of the alerts to be updated. **Required** +status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the specified alerts +classification | String | Specifies the specification of the specified alerts. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the specified alerts. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' +comment | String | Comment to be added to the specified alerts. + +## Response +If successful, this method returns 200 OK, with an empty response body. + + +## Example + +**Request** + +Here is an example of the request. + +```http +POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate +``` + +```json +{ + "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"], + "status": "Resolved", + "assignedTo": "secop2@contoso.com", + "classification": "FalsePositive", + "determination": "Malware", + "comment": "Resolve my alert and assign to secop2" +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 05ec75c8d0..f5c2868d55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -8,26 +8,28 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Behavioral blocking and containment [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) ## Overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index bbff2e68b9..71162e7251 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -4,7 +4,7 @@ description: Check the sensor health on devices to identify which ones are misco keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Check sensor health state in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md index ef5d153836..e492aea556 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -8,26 +8,28 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Client behavioral blocking [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) ## Overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 0d6949ea0b..3e7ccee247 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -3,7 +3,7 @@ title: Collect investigation package API description: Use this API to create calls related to the collecting an investigation package from a device. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article - +ms.technology: mde --- # Collect investigation package API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + ## API description Collect investigation package from a device. @@ -49,7 +56,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage +POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigationPackage ``` ## Request headers @@ -76,11 +83,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - +```http +POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md index 34adbf6fbe..bfe0fa9e88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md @@ -1,9 +1,9 @@ --- title: Common Microsoft Defender ATP API errors description: List of common Microsoft Defender ATP API errors with descriptions. -keywords: apis, mdatp api, errors, troubleshooting +keywords: apis, mdatp api, errors, troubleshooting search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Common REST API error codes [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + * The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs. -* Note that in addition to the error code, every error response contains an error message which can help resolving the problem. -* Note that the message is a free text that can be changed. -* At the bottom of the page you can find response examples. +* In addition to the error code, every error response contains an error message, which can help resolve the problem. +* The message is a free text that can be changed. +* At the bottom of the page, you can find response examples. + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) + + + Error code |HTTP status code |Message :---|:---|:--- @@ -45,13 +52,14 @@ DisabledFeature | Forbidden (403) | Tenant feature is not enabled. DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}. NotFound | Not Found (404) | General Not Found error message. ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found. -InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved) +InternalServerError | Internal Server Error (500) | (No error message, retry the operation) +TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU. ## Body parameters are case-sensitive The submitted body parameters are currently case-sensitive.
      If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. -
      We recommend that you go to the requested API documentation page and check that the submitted parameters match the relevant example. +
      Review the API documentation page and check that the submitted parameters match the relevant example. ## Correlation request ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index f68dcdeab3..e8debb489b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -1,10 +1,10 @@ --- -title: Access the Microsoft Defender ATP Community Center -description: Access the Microsoft Defender ATP Community Center to share experiences, engange, and learn about the product. +title: Access the Microsoft Defender for Endpoint Community Center +description: Access the Microsoft Defender ATP Community Center to share experiences, engage, and learn about the product. keywords: community, community center, tech community, conversation, announcements search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 +ms.technology: mde --- @@ -23,11 +24,11 @@ ms.date: 04/24/2018 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index a0ace30f14..93ea0017f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -4,7 +4,7 @@ description: Enable Conditional Access to prevent applications from running if a keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Enable Conditional Access to better protect users, devices, and data [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index aca0be0b19..45279a411f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,10 +1,10 @@ --- -title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +title: Configure Micro Focus ArcSight to pull Microsoft Defender for Endpoint detections description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Micro Focus ArcSight to pull Defender for Endpoint detections [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 736ab0b846..6734313b4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -1,10 +1,10 @@ --- title: Configure attack surface reduction -description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction. +description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and Group Policy to configure attack surface reduction. keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,16 +13,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Configure attack surface reduction [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -You can configure attack surface reduction with a number of tools, including: +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) + +You can configure attack surface reduction with many tools, including: * Microsoft Intune * Microsoft Endpoint Configuration Manager diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index f8d91cd3e1..e77d4f82c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -4,8 +4,8 @@ description: Set up your automated investigation and remediation capabilities in keywords: configure, setup, automated, investigation, detection, alerts, remediation, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,9 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 09/24/2020 +ms.collection: M365-security-compliance +ms.topic: how-to +ms.date: 01/27/2021 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs --- @@ -24,14 +24,17 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -**Applies to** - +**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). -To configure automated investigation and remediation, [turn on the features](#turn-on-automated-investigation-and-remediation), and then [set up device groups](#set-up-device-groups). +To configure automated investigation and remediation, +1. [Turn on the features](#turn-on-automated-investigation-and-remediation); and +2. [Set up device groups](#set-up-device-groups). ## Turn on automated investigation and remediation @@ -46,7 +49,7 @@ To configure automated investigation and remediation, [turn on the features](#tu 2. Select **+ Add device group**. 3. Create at least one device group, as follows: - Specify a name and description for the device group. - - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). + - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [Automation levels in automated investigation and remediation](automation-levels.md). - In the **Members** section, use one or more conditions to identify and include devices. - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. 4. Select **Done** when you're finished setting up your device group. @@ -54,8 +57,8 @@ To configure automated investigation and remediation, [turn on the features](#tu ## Next steps - [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) +- [Review and approve pending actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) -- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) - -- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +## See also +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 206e5721b3..2fe50d0988 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -4,7 +4,7 @@ description: Learn about steps that you need to do in Intune, Microsoft Defender keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Conditional Access in Microsoft Defender for Endpoint @@ -23,6 +24,9 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) This section guides you through all the steps you need to take to properly implement Conditional Access. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index f7ccfe871b..904b50ea79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -4,7 +4,7 @@ description: You can use Microsoft Defender Advanced Threat Protection to config keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure alert notifications in Microsoft Defender ATP [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 5360517315..166d6e77a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -4,7 +4,7 @@ description: Use Group Policy to deploy the configuration package on Windows 10 keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,31 +13,28 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Onboard Windows 10 devices using Group Policy [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - Group Policy - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) > [!NOTE] > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. - +> > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates. ## Onboard devices using Group Policy @@ -51,13 +48,13 @@ Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/publ 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Onboarding**. + 1. In the navigation pane, select **Settings** > **Onboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Group policy**. + 1. In the **Deployment method** field, select **Group policy**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. @@ -87,16 +84,16 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 1. On your GP management device, copy the following files from the configuration package: - a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ + - Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ - b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ + - Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the configuration package: - a. Copy _AtpConfiguration.admx_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions_ + - Copy _AtpConfiguration.admx_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions_ - b. Copy _AtpConfiguration.adml_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions\\en-US_ + - Copy _AtpConfiguration.adml_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions\\en-US_ 2. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**. @@ -126,6 +123,7 @@ Policy | Setting :---|:--- Enable\Disable Sample collection| Enabled - "Enable sample collection on machines" checked +
      **Policy location:** \Windows Components\Windows Defender Antivirus @@ -133,6 +131,8 @@ Policy | Setting :---|:--- Configure detection for potentially unwanted applications | Enabled, Block +
      + **Policy location:** \Windows Components\Windows Defender Antivirus\MAPS Policy | Setting @@ -140,6 +140,8 @@ Policy | Setting Join Microsoft MAPS | Enabled, Advanced MAPS Send file samples when further analysis is required | Enabled, Send safe samples +
      + **Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection Policy | Setting @@ -149,6 +151,7 @@ Turn on behavior monitoring|Enabled Scan all downloaded files and attachments|Enabled Monitor file and program activity on your computer|Enabled +
      **Policy location:** \Windows Components\Windows Defender Antivirus\Scan @@ -159,19 +162,23 @@ Policy | Setting Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled +
      **Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md) 1. Open the **Configure Attack Surface Reduction** policy. -2. Select **Enabled**. -3. Select the **Show…** button. -4. Add each GUID in the **Value Name** field with a Value of 2. -This will set each up for audit only. +1. Select **Enabled**. -![Image of attack surface reduction configuration](images/asr-guid.png) +1. Select the **Show** button. + +1. Add each GUID in the **Value Name** field with a Value of 2. + + This will set each up for audit only. + + ![Image of attack surface reduction configuration](images/asr-guid.png) @@ -189,13 +196,13 @@ For security reasons, the package used to Offboard devices will expire 30 days a 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Offboarding**. + 1. In the navigation pane, select **Settings** > **Offboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Group policy**. + 1. In the **Deployment method** field, select **Group policy**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -221,6 +228,7 @@ For security reasons, the package used to Offboard devices will expire 30 days a With Group Policy there isn’t an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor devices using the portal + 1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/). 2. Click **Devices list**. 3. Verify that devices are appearing. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 0a97fbf1e3..603253f4a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -4,7 +4,7 @@ description: Use Mobile Device Management tools to deploy the configuration pack keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows 10 devices using Mobile Device Management tools [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) @@ -68,20 +67,20 @@ For security reasons, the package used to Offboard devices will expire 30 days a 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Offboarding**. + 1. In the navigation pane, select **Settings** > **Offboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. + 1. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. - d. Click **Download package**, and save the .zip file. + 1. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. - OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding - Date type: String + OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
      + Date type: String
      Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file] For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index ba65815551..595a2aec82 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -4,7 +4,7 @@ description: Configure non-Windows devices so that they can send sensor data to keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard non-Windows devices @@ -27,6 +28,7 @@ ms.topic: article - macOS - Linux - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 38ec7959c3..4d619ca79e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -4,7 +4,7 @@ description: Use Configuration Manager to deploy the configuration package on de keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 02/07/2020 +ms.technology: mde --- # Onboard Windows 10 devices using Configuration Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - Microsoft Endpoint Configuration Manager current branch - System Center 2012 R2 Configuration Manager @@ -50,9 +51,13 @@ Starting in Configuration Manager version 2002, you can onboard the following op - Windows Server 2016, version 1803 or later - Windows Server 2019 -### Onboard devices using System Center Configuration Manager +>[!NOTE] +>For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md). + +### Onboard devices using System Center Configuration Manager + [![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox) @@ -62,13 +67,13 @@ Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/publ 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Onboarding**. + 1. In the navigation pane, select **Settings** > **Onboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. + 1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. - d. Select **Download package**, and save the .zip file. + 1. Select **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. @@ -102,11 +107,12 @@ This rule should be a *remediating* compliance rule configuration item that sets The configuration is set through the following registry key entry: -``` -Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +```console +Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" Name: "AllowSampleCollection" Value: 0 or 1 ``` + Where:
      Key type is a D-WORD.
      Possible values are: @@ -162,21 +168,21 @@ For security reasons, the package used to Offboard devices will expire 30 days a > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. -### Offboard devices using Microsoft Endpoint Configuration Manager current branch +### Offboard devices using Microsoft Endpoint Manager current branch -If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). +If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). ### Offboard devices using System Center 2012 R2 Configuration Manager 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Offboarding**. + 1. In the navigation pane, select **Settings** > **Offboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. + 1. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. - d. Select **Download package**, and save the .zip file. + 1. Select **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -190,7 +196,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create ## Monitor device configuration -If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). +If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: @@ -219,11 +225,13 @@ You can set a compliance rule for configuration item in System Center 2012 R2 Co This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices. Monitor the following registry key entry: + +```console +Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" +Name: "OnboardingState" +Value: "1" ``` -Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status” -Name: “OnboardingState” -Value: “1” -``` + For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index acfdb668c7..6c32573e4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -4,7 +4,7 @@ description: Use a local script to deploy the configuration package on devices s keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,16 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows 10 devices using a local script [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -**Applies to:** - - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index fc7c7e1d3c..1e4a2f4440 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -4,7 +4,7 @@ description: Deploy the configuration package on virtual desktop infrastructure keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,35 +13,28 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/16/2020 +ms.technology: mde --- # Onboard non-persistent virtual desktop infrastructure (VDI) devices [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - Virtual desktop infrastructure (VDI) devices - ->[!WARNING] -> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. +- Windows 10, Windows Server 2019, Windows Server 2008R2/2012R2/2016 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) ## Onboard non-persistent virtual desktop infrastructure (VDI) devices -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - Defender for Endpoint supports non-persistent VDI session onboarding. ->[!Note] ->To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019. -> ->While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: @@ -59,6 +52,9 @@ The following steps will guide you through onboarding VDI devices and will highl >[!WARNING] > For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding. + +### For Windows 10 or Windows Server 2019 + 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): 1. In the navigation pane, select **Settings** > **Onboarding**. @@ -109,6 +105,29 @@ The following steps will guide you through onboarding VDI devices and will highl 7. Use the search function by entering the device name and select **Device** as search type. + +## For downlevel SKUs + +> [!NOTE] +> The following registry is relevant only when the aim is to achieve a 'Single entry for each device'. + +1. Set registry value to: + + ```reg + [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging] + "VDI"="NonPersistent" + ``` + + or using command line: + + ``` + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f + ``` + +2. Follow the [server onboarding process](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016). + + + ## Updating non-persistent virtual desktop infrastructure (VDI) images As a best practice, we recommend using offline servicing tools to patch golden/master images.
      For example, you can use the below commands to install an update while the image remains offline: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index 00ee7a17a2..85c75d3828 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices so that they can send sensor data to the keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Onboarding tools and methods for Windows 10 devices [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) + Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. The following deployment tools and methods are supported: @@ -41,7 +42,7 @@ The following deployment tools and methods are supported: Topic | Description :---|:--- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices. -[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. +[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index 17e8cb3039..6b6afc49f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -1,10 +1,10 @@ --- title: Optimize ASR rule deployment and detections -description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. +description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Optimize ASR rule deployment and detections [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index b207e1fb84..76815e7245 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -4,7 +4,7 @@ description: Track onboarding of Intune-managed devices to Microsoft Defender AT keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get devices onboarded to Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index e110a3d518..f85e803452 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -4,7 +4,7 @@ description: The Microsoft Defender ATP security baseline sets Microsoft Defende keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Increase compliance to the Microsoft Defender for Endpoint security baseline [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 9b830a3988..3bd54ed230 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -4,7 +4,7 @@ description: Properly configure devices to boost overall resilience against thre keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Ensure your devices are configured properly [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 3ce240d781..08de267337 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -5,7 +5,7 @@ description: Register to Microsoft Threats Experts to configure, manage, and use keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service search.product: Windows 10 search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Configure and manage Microsoft Threat Experts capabilities @@ -25,8 +26,10 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) ## Before you begin > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md index e75588efda..6f4f12e78a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md @@ -1,10 +1,10 @@ --- -title: Configure alert notifications that are sent to MSSPs +title: Configure alert notifications that are sent to MSSPs description: Configure alert notifications that are sent to MSSPs keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure alert notifications that are sent to MSSPs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index dde5d47ec5..09106fbd64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,10 +1,10 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP +description: Take the necessary steps to configure the MSSP integration with the Microsoft Defender for Endpoint keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,22 +13,21 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure managed security service provider integration [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) - [!include[Prerelease information](../../includes/prerelease.md)] You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 6abe8ff951..07ccd43835 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -4,7 +4,7 @@ description: Configure the Microsoft Defender ATP proxy and internet settings to keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,19 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Configure device proxy and Internet connectivity settings [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) @@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ |------|---------|--------|--------| |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | -|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.azure-automation.net |Port 443 |Outbound|Yes | > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index ad4b3d8853..d9643ad099 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -1,10 +1,10 @@ --- -title: Onboard Windows servers to the Microsoft Defender ATP service -description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender ATP sensor. -keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers +title: Onboard Windows servers to the Microsoft Defender for Endpoint service +description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender for Endpoint sensor. +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers, onboard Microsoft Defender for Endpoint servers search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows servers to the Microsoft Defender for Endpoint service @@ -31,6 +32,8 @@ ms.topic: article - Windows Server 2019 and later - Windows Server 2019 core edition - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) @@ -41,6 +44,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). +
      ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 @@ -48,20 +52,20 @@ You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows - **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-manager-version-2002-and-later) After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). > [!NOTE] -> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). -If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. +If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. In general, you'll need to take the following steps: 1. Fulfill the onboarding requirements outlined in **Before you begin** section. @@ -97,10 +101,13 @@ Perform the following steps to fulfill the onboarding requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server: - - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
      + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
      On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. @@ -113,7 +120,7 @@ If your servers need to use a proxy to communicate with Defender for Endpoint, u - [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) -If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. +If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. Once completed, you should see onboarded Windows servers in the portal within an hour. @@ -128,12 +135,19 @@ Once completed, you should see onboarded Windows servers in the portal within an After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). -### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later -You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint - in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +> [!NOTE] +> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings. +> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. +> - This is also required if the server is configured to use an OMS Gateway server as proxy. + +### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later +You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint + in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). +
      + ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -144,12 +158,12 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo - [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) > [!NOTE] -> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). -> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. +> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). +> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, or Microsoft Endpoint Configuration Manager. -Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions. -1. Configure Defender for Endpoint onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). +1. Configure Defender for Endpoint onboarding settings on the Windows server using the same tools and methods for Windows 10 devices. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly: @@ -173,12 +187,14 @@ Support for Windows Server, provide deeper insight into activities happening on ```sc.exe query Windefend``` - If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). + If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). +
      + ## Integration with Azure Security Center -Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). @@ -196,6 +212,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
      Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +
      ## Configure and update System Center Endpoint Protection clients @@ -206,7 +223,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - +
      ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. @@ -249,13 +266,18 @@ To offboard the Windows server, you can use either of the following methods: 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: ```powershell + $ErrorActionPreference = "SilentlyContinue" # Load agent scripting object $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + $AgentCfg.RemoveCloudWorkspace("WorkspaceID") # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() + ``` + +
      + ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 62e2e5f5b1..7597959e7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -4,7 +4,7 @@ description: Learn how to use REST API and configure supported security informat keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,18 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Pull detections to your SIEM tools [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md new file mode 100644 index 0000000000..3a5a17455d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md @@ -0,0 +1,93 @@ +--- +title: Configure vulnerability email notifications in Microsoft Defender for Endpoint +description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events. +keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Configure vulnerability email notifications in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) + +Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability. + +> [!NOTE] +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md) + +The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added. + +If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. + +The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability. + +## Create rules for alert notifications + +Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected. + +1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**. + +2. Select **Add notification rule**. + +3. Name the email notification rule and include a description. + +4. Check **Notification enabled** to activate the notification. Select **Next** + +5. Fill in the notification settings. Then select **Next** + + - Choose device groups to get notifications for. + - Choose the vulnerability event(s) that you want to be notified about when they affect your organization. + - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified. + - Include organization name if you want the organization name in the email + +6. Enter the recipient email address then select **Add**. You can add multiple email addresses. + +7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it. + +## Edit a notification rule + +1. Select the notification rule you'd like to edit. + +2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Delete notification rule + +1. Select the notification rule you'd like to delete. + +2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Troubleshoot email notifications for alerts + +This section lists various issues that you may encounter when using email notifications for alerts. + +**Problem:** Intended recipients report they are not getting the notifications. + +**Solution:** Make sure that the notifications are not blocked by email filters: + +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 99a86d51e7..081cd57903 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -1,11 +1,11 @@ --- -title: Connected applications in Microsoft Defender ATP +title: Connected applications in Microsoft Defender ATP ms.reviewer: description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Connected applications in Microsoft Defender for Endpoint @@ -24,8 +25,11 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) + Connected applications integrates with the Defender for Endpoint platform using APIs. Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md new file mode 100644 index 0000000000..95f0488aa4 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md @@ -0,0 +1,45 @@ +--- +title: Contact Microsoft Defender for Endpoint support for US Government customers +description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers +keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ROBOTS: noindex,nofollow +ms.technology: mde +--- + +# Contact Microsoft Defender for Endpoint support for US Government customers + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. + +## Using the right portal +In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal: + +Environment | Portal URL +:---|:--- +GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) +GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us) +GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us) +DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us) + +If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true). + +## Opening a support case +For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md index b8af068443..e79c0952b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md @@ -4,7 +4,7 @@ description: Learn how to contact Microsoft Defender ATP support keywords: support, contact, premier support, solutions, problems, case search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Contact Microsoft Defender for Endpoint support @@ -23,7 +24,10 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. @@ -39,7 +43,7 @@ At a minimum, you must have a Service Support Administrator **OR** Helpdesk Admi For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case. -For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide). +For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true). ## Access the widget diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 8112a5f3e8..c7281f84af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -1,9 +1,9 @@ --- -title: Prevent ransomware and threats from encrypting and changing files +title: Protect important folders from ransomware from encrypting your files with controlled folder access description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,44 +11,75 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 11/05/2020 +ms.date: 02/03/2021 ms.reviewer: v-maave manager: dansimp ms.custom: asr +ms.technology: mde --- # Protect important folders with controlled folder access [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) ## What is controlled folder access? -Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices). +Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). + +> [!NOTE] +> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +> [!TIP] +> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md). + ## How does controlled folder access work? Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. -Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. +Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders. -Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. +Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. + +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. + +## Why controlled folder access is important Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. +Controlled folder access is supported on the following versions of Windows: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -## Requirements +## Windows system folders are protected by default + +Windows system folders are protected by default, along with several other folders: + +- `c:\Users\\Documents` +- `c:\Users\Public\Documents` +- `c:\Users\\Pictures` +- `c:\Users\Public\Pictures` +- `c:\Users\Public\Videos` +- `c:\Users\\Videos` +- `c:\Users\\Music` +- `c:\Users\Public\Music` +- `c:\Users\\Favorites` + +> [!NOTE] +> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default. + +## Requirements for controlled folder access Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md). @@ -56,7 +87,7 @@ Controlled folder access requires enabling [Microsoft Defender Antivirus real-ti Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled. Example query: @@ -70,45 +101,36 @@ DeviceEvents You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - 3. On the left panel, under **Actions**, select **Import custom view...**. - 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md). +5. Select **OK**. -5. Click **OK**. - -After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table: +The following table shows events related to controlled folder access: |Event ID | Description | -|---|---| +|:---|:---| |5007 | Event when settings are changed | |1124 | Audited controlled folder access event | |1123 | Blocked controlled folder access event | ## View or change the list of protected folders -### Windows 10 security app +You can use the Windows Security app to view the list of folders that are protected by controlled folder access. 1. On your Windows 10 device, open the Windows Security app. - 2. Select **Virus & threat protection**. - 3. Under **Ransomware protection**, select **Manage ransomware protection**. - 4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**. - 5. Do one of the following steps: - - To add a folder, select **+ Add a protected folder**. - - To remove a folder, select it, and then select **Remove**. +> [!NOTE] +> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. + ## See also -- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. - -- [Enable controlled folder access](enable-controlled-folders.md). Use Group Policy, PowerShell, or mobile device management CSPs to enable and manage controlled folder access in your network - -- [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders. +- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) +- [Customize controlled folder access](customize-controlled-folders.md) +- [Protect more folders](customize-controlled-folders.md#protect-additional-folders) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index a5c286ef37..9ce4f58684 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -3,7 +3,7 @@ title: Create alert from event API description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create alert API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -56,7 +62,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` ## Request headers @@ -91,11 +97,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] +```http +POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference +``` -``` -POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference -``` ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 17e23e40fc..b4ddf74520 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -5,7 +5,7 @@ description: Learn how to create custom detection rules based on advanced huntin keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # Create custom detection rules @@ -24,8 +25,10 @@ ms.date: 09/20/2020 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. @@ -113,6 +116,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device +- **Restrict app execution**—sets restrictions on the device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution) ### Actions on files @@ -121,6 +125,10 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` - **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file**—deletes the file from its current location and places a copy in quarantine +### Actions on users + +- **Mark user as compromised**—sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels). + ## 5. Set the rule scope. Set the scope to specify which devices are covered by the rule: diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index ef5088e134..be445c4a3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -5,7 +5,7 @@ description: Learn how to view and manage custom detection rules keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- @@ -25,6 +26,9 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 81ede44b00..e82169852e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Customize attack surface reduction rules description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize attack surface reduction rules @@ -20,8 +21,10 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index b689c58a11..1517a11f36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,17 +1,19 @@ --- title: Customize controlled folder access -description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. +description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro -author: levinec -ms.author: ellevin -ms.reviewer: +author: denisebmsft +ms.author: deniseb +ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon manager: dansimp +ms.date: 01/06/2021 +ms.technology: mde --- # Customize controlled folder access @@ -20,44 +22,51 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. -This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). +This article describes how to customize controlled folder access capabilities, and includes the following sections: -* [Add additional folders to be protected](#protect-additional-folders) -* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +- [Protect additional folders](#protect-additional-folders) +- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +- [Allow signed executable files to access protected folders](#allow-signed-executable-files-to-access-protected-folders) +- [Customize the notification](#customize-the-notification) -> [!WARNING] -> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. -> -> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact. +> [!IMPORTANT] +> Controlled folder access monitors apps for activities that are detected as malicious. Sometimes, legitimate apps are blocked from making changes to your files. If controlled folder access impacts your organization's productivity, you might consider running this feature in [audit mode](audit-windows-defender.md) to fully assess the impact. ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list. +Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. -Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults. +Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can also specify network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -You can use the Windows Security app or Group Policy to add and remove additional protected folders. +You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobile device management configuration service providers to add and remove additional protected folders. ### Use the Windows Security app to protect additional folders -1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Security**. -2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. +2. Select **Virus & threat protection**, and then scroll down to the **Ransomware protection** section. -3. Under the **Controlled folder access** section, select **Protected folders**. +3. Select **Manage ransomware protection** to open the **Ransomware protection** pane. -4. Select **Add a protected folder** and follow the prompts to add apps. +4. Under the **Controlled folder access** section, select **Protected folders**. + +5. Choose **Yes** on the **User Access Control** prompt. The **Protected folders** pane displays. + +4. Select **Add a protected folder** and follow the prompts to add folders. ### Use Group Policy to protect additional folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure, and then and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -67,16 +76,16 @@ You can use the Windows Security app or Group Policy to add and remove additiona ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** + 2. Enter the following cmdlet: ```PowerShell Add-MpPreference -ControlledFolderAccessProtectedFolders "" ``` +3. Repeat step 2 until you have added all the folders you want to protect. Folders that are added are visible in the Windows Security app. -Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app. - -![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) + ![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. @@ -90,8 +99,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature. > [!IMPORTANT] -> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. -> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. +> By default, Windows adds apps that are considered friendly to the allowed list. Such apps that are added automatically are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access. @@ -99,9 +107,9 @@ An allowed application or service only has write access to a controlled folder a ### Use the Windows Defender Security app to allow specific apps -1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by searching the start menu for **Security**. -2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Manage ransomware protection**. 3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access** @@ -111,7 +119,7 @@ An allowed application or service only has write access to a controlled folder a ### Use Group Policy to allow specific apps -1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -121,7 +129,7 @@ An allowed application or service only has write access to a controlled folder a ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -145,12 +153,16 @@ An allowed application or service only has write access to a controlled folder a Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. +## Allow signed executable files to access protected folders + +Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). + ## Customize the notification -For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). +For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications). -## Related topics +## See also -* [Protect important folders with controlled folder access](controlled-folders.md) -* [Enable controlled folder access](enable-controlled-folders.md) -* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Protect important folders with controlled folder access](controlled-folders.md) +- [Enable controlled folder access](enable-controlled-folders.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index e0f6337ab6..80c3c22418 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -3,7 +3,7 @@ title: Customize exploit protection keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize exploit protection @@ -20,8 +21,11 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. @@ -46,44 +50,44 @@ The **Use default** configuration for each of the mitigation settings indicates For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article. -Mitigation | Description | Can be applied to | Audit mode available --|-|-|- -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +| Mitigation | Description | Can be applied to | Audit mode available | +| ---------- | ----------- | ----------------- | -------------------- | +| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | ![Check mark yes](../images/svg/check-yes.svg)| +| Block remote images | Prevents loading of images from remote devices. | App-level only | ![Check mark no](../images/svg/check-no.svg | +| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | !include[Check mark yes](../images/svg/check-yes.svg) | +| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Don't allow child processes | Prevents an app from creating child processes. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: > > -> Enabled in **Program settings** | Enabled in **System settings** | Behavior -> -|-|- -> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** -> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** -> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** -> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option +> | Enabled in **Program settings** | Enabled in **System settings** | Behavior | +> | ------------------------------- | ------------------------------ | -------- | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option | > > > -> * **Example 1** +> * **Example 1** > > Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. > @@ -116,10 +120,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redir * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation - >[!NOTE] - >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. + > [!NOTE] + > You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may require a restart. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. @@ -127,8 +131,8 @@ Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redir 1. If the app you want to configure is already listed, select it and then select **Edit** 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app: - * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. @@ -140,14 +144,14 @@ Exporting the configuration as an XML file allows you to copy the configuration ## PowerShell reference - You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. +You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. - The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. +The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. - >[!IMPORTANT] - >Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. +> [!IMPORTANT] +> Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. - You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: +You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: ```PowerShell Get-ProcessMitigation -Name processName.exe @@ -164,7 +168,7 @@ Get-ProcessMitigation -Name processName.exe Use `Set` to configure each mitigation in the following format: - ```PowerShell +```PowerShell Set-ProcessMitigation - - ,, ``` @@ -179,34 +183,34 @@ Where: * \: * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. - For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: +For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: - ```PowerShell - Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation - ``` +```PowerShell +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation +``` - > [!IMPORTANT] - > Separate each mitigation option with commas. +> [!IMPORTANT] +> Separate each mitigation option with commas. - If you wanted to apply DEP at the system level, you'd use the following command: +If you wanted to apply DEP at the system level, you'd use the following command: - ```PowerShell - Set-Processmitigation -System -Enable DEP - ``` +```PowerShell +Set-Processmitigation -System -Enable DEP +``` - To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. +To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. - If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: +If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: - ```PowerShell - Set-Processmitigation -Name test.exe -Remove -Disable DEP - ``` +```PowerShell +Set-Processmitigation -Name test.exe -Remove -Disable DEP +``` - You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. +You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. - For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: +For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: - ```PowerShell +```PowerShell Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` @@ -218,29 +222,29 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that -Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet -- | - | - | - -Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available -Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available -Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available -Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -Validate heap integrity | System and app-level | TerminateOnError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -Disable extension points | App-level only | ExtensionPoint | Audit not available -Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available -Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | +| ---------- | ---------- | ------------------ | ----------------- | +| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available | +| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | +| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | +| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | +| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | +| Block remote images | App-level only | BlockRemoteImages | Audit not available | +| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | +| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | ExtensionPoint | Audit not available | +| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | +| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | +| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | +| Validate handle usage | App-level only | StrictHandle | Audit not available | +| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for dlls for a process: @@ -248,11 +252,13 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. + ## Customize the notification For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). -## See also +## See also: * [Protect devices from exploits](exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 7932cfb153..5266ed304e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -1,10 +1,10 @@ --- -title: Verify data storage location and update data retention settings +title: Verify data storage location and update data retention settings description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Verify data storage location and update data retention settings for Microsoft Defender for Endpoint @@ -22,9 +23,8 @@ ms.topic: conceptual **Applies to:** - - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 953b74c139..6af0ae78d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender ATP data storage and privacy -description: Learn about how Microsoft Defender ATP handles privacy and data that it collects. -keywords: Microsoft Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data +title: Microsoft Defender for Endpoint data storage and privacy +description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects. +keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint data storage and privacy [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) This section covers some of the most frequently asked questions regarding privacy and data handling for Defender for Endpoint. > [!NOTE] @@ -84,7 +85,7 @@ No. Customer data is isolated from other customers and is not shared. However, i ## How long will Microsoft store my data? What is Microsoft’s data retention policy? **At service onboarding**
      -You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. +You can choose the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
      Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index f84762a3a0..e4d3704b11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP -description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. -keywords: windows defender compatibility, defender, microsoft defender atp +title: Microsoft Defender Antivirus compatibility with Defender for Endpoint +description: Learn about how Windows Defender works with Microsoft Defender for Endpoint and how it functions when a third-party antimalware client is used. +keywords: windows defender compatibility, defender, microsoft defender atp, defender for endpoint, antivirus, mde search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,22 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 +ms.technology: mde --- -# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP +# Microsoft Defender Antivirus compatibility with Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - -- Windows Defender - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..87dd461c37 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,365 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 02/11/2021 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +- m365solution-scenario +- m365scenario-fpfn +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola +ms.custom: FPFN +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). + +![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png) + +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process: + +1. [Review and classify alerts](#part-1-review-and-classify-alerts) +2. [Review remediation actions that were taken](#part-2-review-remediation-actions) +3. [Review and define exclusions](#part-3-review-or-define-exclusions) +4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) + +And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article. + +![Steps to address false positives and negatives](images/false-positives-step-diagram.png) + +> [!NOTE] +> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). + +## Part 1: Review and classify alerts + +If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. + +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Depending on the alert status, take the steps described in the following table: + +| Alert status | What to do | +|:---|:---| +| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | +| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
      2. [Suppress the alert](#suppress-an-alert).
      3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
      4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | +| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + +### Classify an alert + +Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Part 2: Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone. + +After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can: +- [Undo one action at a time](#undo-an-action); +- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and +- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). + +When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab to view a list of actions that were taken. +3. Select an item to view more details about the remediation action that was taken. + +### Undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) + +### Undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + +### Remove a file from quarantine across multiple devices + +> [!div class="mx-imgBorder"] +> ![Quarantine file](images/autoir-quarantine-file-1.png) + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select a file that has the Action type **Quarantine file**. +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. + +## Part 3: Review or define exclusions + +An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +> [!NOTE] +> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). + +"Allow" indicators can be created for: + +- [Files](#indicators-for-files) +- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) +- [Application certificates](#indicators-for-application-certificates) + +![Indicator types diagram](images/false-positives-indicators.png) + +#### Indicators for files + +When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. + +Before you create indicators for files, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) + +#### Indicators for IP addresses, URLs, or domains + +When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. + +Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met: +- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) +- Antimalware client version is 4.18.1906.x or later +- Devices are running Windows 10, version 1709, or later + +Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)) + +#### Indicators for application certificates + +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. + +Before you create indicators for application certificates, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- Virus and threat protection definitions are up to date + +> [!TIP] +> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +## Part 4: Submit a file for analysis + +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions. + +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. +2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. + A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. +3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. + +### What happens after a file is submitted? + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly. + +For submissions that were not already processed, they are prioritized for analysis as follows: + +- Prevalent files with the potential to impact large numbers of computers are given a higher priority. +- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. +- Submissions flagged as high priority by SAID holders are given immediate attention. + +To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). + +## Part 5: Review and adjust your threat protection settings + +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to: + +- [Cloud-delivered protection](#cloud-delivered-protection) +- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) +- [Automated investigation and remediation](#automated-investigation-and-remediation) + +### Cloud-delivered protection + +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. + +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). + +We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. + +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. +3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**. +4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**. +5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: + - Set **Turn on cloud-delivered protection** to **Yes**. + - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Remediation for potentially unwanted applications + +Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. + +> [!TIP] +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).) +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. +4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. +5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. +9. On the **Review + create** tab, review your settings, and, and then choose **Create**. + +### Automated investigation and remediation + +[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. + +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team. + +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). + +> [!IMPORTANT] +> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. + +## Still need help? + +If you have worked through all the steps in this article and still need help, contact technical support. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. + +## See also + +[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) + +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index 123ce4959e..82e098b761 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -3,7 +3,7 @@ title: Delete Indicator API. description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection. keywords: apis, public api, supported apis, delete, ti indicator, entity, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Delete Indicator API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -45,12 +51,11 @@ Application | Ti.ReadWrite.All | 'Read and write Indicators' ## HTTP request ``` -Delete https://api.securitycenter.windows.com/api/indicators/{id} +Delete https://api.securitycenter.microsoft.com/api/indicators/{id} ``` [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## Request headers Name | Type | Description @@ -71,6 +76,6 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. -``` -DELETE https://api.securitycenter.windows.com/api/indicators/995 +```http +DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md index 298867cbc0..21715873c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -1,9 +1,9 @@ --- title: Deployment phases -description: Learn how to deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service +description: Learn how to deploy Microsoft Defender for Endpoint by preparing, setting up, and onboarding endpoints to that service keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,10 +13,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-overview + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-overview ms.topic: article +ms.technology: mde --- # Deployment phases @@ -25,29 +26,61 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) + +Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response. -There are three phases in deploying Defender for Endpoint: +This guide helps you work across stakeholders to prepare your environment and then onboard devices in a methodical way, moving from evaluation, to a meaningful pilot, to full deployment. + +Each section corresponds to a separate article in this solution. + +![Image of deployment phases with details from table](images/deployment-guide-phases.png) + + +![Summary of deployment phases: prepare, setup, onboard](images/phase-diagrams/deployment-phases.png) |Phase | Description | |:-------|:-----| -| ![Phase 1: Prepare](images/prepare.png)
      [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint:

      - Stakeholders and sign-off
      - Environment considerations
      - Access
      - Adoption order -| ![Phase 2: Setup](images/setup.png)
      [Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:

      - Validating the licensing
      - Completing the setup wizard within the portal
      - Network configuration| -| ![Phase 3: Onboard](images/onboard.png)
      [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. +| [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities. +| [Phase 2: Setup](production-deployment.md)| Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the setup wizard, and network configuration. +| [Phase 3: Onboard](onboarding.md) | Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities. + + +After you've completed this guide, you'll be setup with the right access permissions, your endpoints will be onboarded and reporting sensor data to the service, and capabilities such as next-generation protection and attack surface reduction will be in place. -The deployment guide will guide you through the recommended path in deploying Defender for Endpoint. - -If you're unfamiliar with the general deployment planning steps, check out the [Plan deployment](deployment-strategy.md) topic to get a high-level overview of the general deployment steps and methods. +Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints. -## In Scope -The following is in scope for this deployment guide: -- Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities + + + +## Key capabilities + +While Microsoft Defender for Endpoint provides many capabilities, the primary purpose of this deployment guide is to get you started by onboarding devices. In addition to onboarding, this guidance gets you started with the following capabilities. + + + +Capability | Description +:---|:--- +Endpoint detection and response | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. +Next-generation protection | To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +Attack surface reduction | Provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. + +All these capabilities are available for Microsoft Defender for Endpoint license holders. For more information, see [Licensing requirements](minimum-requirements.md#licensing-requirements). + +## Scope + +### In scope + +- Use of Microsoft Endpoint Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities - Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities @@ -59,10 +92,19 @@ The following is in scope for this deployment guide: - Attack surface reduction -## Out of scope +### Out of scope The following are out of scope of this deployment guide: - Configuration of third-party solutions that might integrate with Defender for Endpoint - Penetration testing in production environment + + + + +## See also +- [Phase 1: Prepare](prepare-deployment.md) +- [Phase 2: Set up](production-deployment.md) +- [Phase 3: Onboard](onboarding.md) +- [Plan deployment](deployment-strategy.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md index 8ad96f8300..099e614f4d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md @@ -1,9 +1,9 @@ --- -title: Deploy Microsoft Defender ATP in rings -description: Learn how to deploy Microsoft Defender ATP in rings +title: Deploy Microsoft Defender for Endpoint in rings +description: Learn how to deploy Microsoft Defender for Endpoint in rings keywords: deploy, rings, evaluate, pilot, insider fast, insider slow, setup, onboard, phase, deployment, deploying, adoption, configuring search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,24 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-overview + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-overview ms.topic: article +ms.technology: mde --- -# Deploy Microsoft Defender ATP in rings +# Deploy Microsoft Defender for Endpoint in rings [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -Deploying Microsoft Defender ATP can be done using a ring-based deployment approach. +Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment approach. The deployment rings can be applied in the following scenarios: - [New deployments](#new-deployments) diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md index 9c14158aa2..5965d178c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md @@ -1,9 +1,9 @@ --- -title: Plan your Microsoft Defender ATP deployment -description: Select the best Microsoft Defender ATP deployment strategy for your environment +title: Plan your Microsoft Defender for Endpoint deployment +description: Select the best Microsoft Defender for Endpoint deployment strategy for your environment keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Plan your Microsoft Defender for Endpoint deployment @@ -22,18 +23,18 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) -Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Defender for Endpoint. -These are the general steps you need to take to deploy Defender for Endpoint: +Plan your Microsoft Defender for Endpoint deployment so that you can maximize the security capabilities within the suite and better protect your enterprise from cyber threats. -![Image of deployment flow](images/onboarding-flow-diagram.png) -- Identify architecture -- Select deployment method -- Configure capabilities +This solution provides guidance on how to identify your environment architecture, select the type of deployment tool that best fits your needs, and guidance on how to configure capabilities. + + +![Image of deployment flow](images/deployment-guide-plan.png) ## Step 1: Identify architecture @@ -43,7 +44,7 @@ Depending on your environment, some tools are better suited for certain architec Use the following material to select the appropriate Defender for Endpoint architecture that best suites your organization. -|**Item**|**Description**| +| Item | Description | |:-----|:-----| |[![Thumb image for Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
      [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:

      • Cloud-native
      • Co-management
      • On-premise
      • Evaluation and local onboarding
        • diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md index 8ab3495d50..f4adc4a723 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md @@ -1,9 +1,9 @@ --- -title: Microsoft Defender ATP device timeline event flags -description: Use Microsoft Defender ATP device timeline event flags to -keywords: Defender ATP device timeline, event flags +title: Microsoft Defender for Endpoint device timeline event flags +description: Use Microsoft Defender for Endpoint device timeline event flags to +keywords: Defender for Endpoint device timeline, event flags search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,20 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint device timeline event flags [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks. diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf index 72b92c313b..3b499bf158 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx index 21e90cfda0..6e2df9e071 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index ded3b76626..b5683ec66f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 5498350b55..87d5219bad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -8,42 +8,44 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr -ms.date: 08/21/2020 + - next-gen + - edr +ms.date: 01/26/2021 ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Endpoint detection and response (EDR) in block mode [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) ## What is EDR in block mode? -When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Defender for Endpoint blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach. +[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach. EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled. :::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode"::: > [!NOTE] -> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. +> To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? -When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). +When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: @@ -69,35 +71,66 @@ The following image shows an instance of unwanted software that was detected and |Requirement |Details | |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following versions:
        - Windows 10 (all releases)
        - Windows Server 2016 or later | +|Operating system |One of the following versions:
        - Windows 10 (all releases)
        - Windows Server, version 1803 or newer
        - Windows Server 2019 | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
        - Microsoft 365 E5
        - Microsoft 365 E3 together with the Identity & Threat Protection offering

        See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.

        See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | -|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
        In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
        In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | +|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | +|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] -> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined. - +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus. ## Frequently asked questions +### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices? + +We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. + ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected. ### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. +### How do I set Microsoft Defender Antivirus to passive mode? + +See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). + +### How do I confirm Microsoft Defender Antivirus is in active or passive mode? + +To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows. + +#### Use PowerShell + +1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. + +2. Type `Get-MpComputerStatus`. + +3. In the list of results, in the **AMRunningMode** row, look for one of the following values: + - `Normal` + - `Passive Mode` + - `SxS Passive Mode` + +To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus). + +#### Use Command Prompt + +1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results. + +2. Type `sc query windefend`. + +3. In the list of results, in the **STATE** row, confirm that the service is running. + ## See also -[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) - -[Behavioral blocking and containment](behavioral-blocking-containment.md) - -[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus) +- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) +- [Behavioral blocking and containment](behavioral-blocking-containment.md) +- [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 603f751bdd..30d1bceeed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Enable attack surface reduction rules description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,12 +13,18 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Enable attack surface reduction rules [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) [Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later @@ -32,7 +38,7 @@ Each ASR rule contains one of three settings: - Block: Enable the ASR rule - Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding). > [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). @@ -45,7 +51,7 @@ You can enable attack surface reduction rules by using any of these methods: - [Group Policy](#group-policy) - [PowerShell](#powershell) -Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. +Enterprise-level management such as Intune or Microsoft Endpoint Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. ## Exclude files and folders from ASR rules @@ -98,7 +104,7 @@ Example: `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -`Value: c:\path|e:\path|c:\Whitelisted.exe` +`Value: c:\path|e:\path|c:\Exclusions.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 8af897f9a0..82ad65a1b2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -3,7 +3,7 @@ title: Enable controlled folder access keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use description: Learn how to protect your important files by enabling Controlled folder access search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,16 +13,18 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Enable controlled folder access [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) [Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 368d58eee8..046a880398 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -3,25 +3,27 @@ title: Turn on exploit protection to help mitigate against attacks keywords: exploit, mitigation, attacks, vulnerability description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: ksarens manager: dansimp +ms.technology: mde --- # Enable exploit protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) [Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps. @@ -30,14 +32,13 @@ manager: dansimp Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -You can enable each mitigation separately by using any of these methods: - -* [Windows Security app](#windows-security-app) -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +You can enable each mitigation separately by using any of these methods: +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. @@ -47,41 +48,41 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
        - - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
        - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
        + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. -6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
        +6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
        - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: -Enabled in **Program settings** | Enabled in **System settings** | Behavior --|-|- -[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** -[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** -[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** -[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option +|Enabled in **Program settings** | Enabled in **System settings** | Behavior | +|:---|:---|:---| +|![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** | +|![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** | +|![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** | +|![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option | ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. -The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied. ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default @@ -89,66 +90,84 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. +The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
        - - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
        - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
        + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -2. Click **Device configuration** > **Profiles** > **Create profile**. +2. Go to **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
        ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
        -4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. -5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
        ![Enable network protection in Intune](../images/enable-ep-intune.png)
        +5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: -6. Click **OK** to save each open blade and click **Create**. + ![Enable network protection in Intune](../images/enable-ep-intune.png)
        -7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +6. Select **OK** to save each open blade, and then choose **Create**. + +7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**. ## MDM Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. +## Microsoft Endpoint Manager + +1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**. + +2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**. + +3. Specify a name and a description, and then choose **Next**. + +4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**. + +5. Configure **Scope tags** and **Assignments** if necessary. + +6. Under **Review + create**, review the configuration and then choose **Create**. + + ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Exploit protection**, and click **Next**. +3. Specify a name and a description, select **Exploit protection**, and then choose **Next**. -4. Browse to the location of the exploit protection XML file and click **Next**. +4. Browse to the location of the exploit protection XML file and select **Next**. -5. Review the settings and click **Next** to create the policy. +5. Review the settings, and then choose **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, select **Close**. ## Group Policy 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**. ## PowerShell @@ -160,11 +179,8 @@ Get-ProcessMitigation -Name processName.exe > [!IMPORTANT] > System-level mitigations that have not been configured will show a status of `NOTSET`. -> -> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. -> -> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. -> +> - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: @@ -207,44 +223,45 @@ If you need to restore the mitigation back to the system default, you need to in Set-Processmitigation -Name test.exe -Remove -Disable DEP ``` -This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. +This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters. -Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet -- | - | - | - -Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available -Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available -Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available -Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -Disable extension points | App-level only | ExtensionPoint | Audit not available -Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available -Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter | +| :-------------- | :--------- | :---------------------------------- | :-------------------------- | +| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available +| Validate exception chains (SEHOP) | System and app-level | `SEHOP`, `SEHOPTelemetry` | Audit not available | +| Validate heap integrity | System and app-level | `TerminateOnError` | Audit not available | +| Arbitrary code guard (ACG) | App-level only | `DynamicCode` | `AuditDynamicCode` | +| Block low integrity images | App-level only | `BlockLowLabel` | `AuditImageLoad` | +| Block remote images | App-level only | `BlockRemoteImages` | Audit not available | +| Block untrusted fonts | App-level only | `DisableNonSystemFonts` | `AuditFont`, `FontAuditOnly` | +| Code integrity guard | App-level only | `BlockNonMicrosoftSigned`, `AllowStoreSigned` | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | `ExtensionPoint` | Audit not available | +| Disable Win32k system calls | App-level only | `DisableWin32kSystemCalls` | `AuditSystemCall` | +| Do not allow child processes | App-level only | `DisallowChildProcessCreation` | `AuditChildProcess` | +| Export address filtering (EAF) | App-level only | `EnableExportAddressFilterPlus`, `EnableExportAddressFilter` \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | `EnableImportAddressFilter` | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | `EnableRopSimExec` | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | `EnableRopCallerCheck` | Audit not available\[2\] | +| Validate handle usage | App-level only | `StrictHandle` | Audit not available | +| Validate image dependency integrity | App-level only | `EnforceModuleDepencySigning` | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | `EnableRopStackPivot` | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article for more information about customizing the notification when a rule is triggered and blocks an app or file. -## Related topics +## See also -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 4f9ad6dff7..08db900053 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -3,7 +3,7 @@ title: Turn on network protection description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,16 +12,18 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Turn on network protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index c4e8e36cbe..fe94731159 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -4,7 +4,7 @@ description: Enable SIEM integration to receive detections in your security info keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,17 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Enable SIEM integration in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) @@ -49,7 +49,7 @@ Enable security information and event management (SIEM) integration so you can p ## Enabling SIEM integration 1. In the navigation pane, select **Settings** > **SIEM**. - ![Image of SIEM integration from Settings menu](images/enable_siem.png) + ![Image of SIEM integration from Settings menu1](images/enable_siem.png) >[!TIP] >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. @@ -60,7 +60,7 @@ Enable security information and event management (SIEM) integration so you can p >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
        - ![Image of SIEM integration from Settings menu](images/siem_details.png) + ![Image of SIEM integration from Settings menu2](images/siem_details.png) 3. Choose the SIEM type you use in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md deleted file mode 100644 index 9c552f4e9c..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Enable Microsoft Defender for Endpoint Insider Device -description: Install and use Microsoft Defender for Endpoint (Mac). -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual ---- - -# Enable Microsoft Defender for Endpoint Insider Device - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). - -> [!IMPORTANT] -> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions. - -## Enable the Insider program with Jamf - -1. Create configuration profile `com.microsoft.wdav.plist` with the following content: - - ```XML - - - - - edr - - earlyPreview - - - - - ``` - -1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. - -1. Create an entry with `com.microsoft.wdav` as the preference domain and upload the `.plist` created earlier. - - > [!WARNING] - > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product - -## Enable the Insider program with Intune - -1. Create configuration profile `com.microsoft.wdav.plist` with the following content: - - ```XML - - - - - PayloadUUID - C4E6A782-0C8D-44AB-A025-EB893987A295 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP settings - PayloadDescription - Microsoft Defender ATP configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 - PayloadType - com.microsoft.wdav - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - edr - - earlyPreview - - - - - - - ``` - -1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**. - -1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. - -1. Save the `.plist` created earlier as com.microsoft.wdav.xml. - -1. Enter `com.microsoft.wdav` as the custom configuration profile name. - -1. Open the configuration profile and upload `com.microsoft.wdav.xml`. This file was created in step 1. - -1. Select  **OK**. - -1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**. - - > [!WARNING] - > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. - -## Enable the Insider program manually on a single device - -In terminal, run: - -```bash - mdatp --edr --early-preview true -``` - -For versions earlier than 100.78.0, run: - -```bash - mdatp --edr --earlyPreview true -``` - -## Troubleshooting - -### Verify you are running the correct version - -To get the latest version of the Microsoft Defender for Endpoint (Mac), set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). - -To verify you are running the correct version, run `mdatp --health` on the device. - -* The required version is 100.72.15 or later. -* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal. -* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). -* If you are not using Office for Mac, download and run the AutoUpdate tool. - -### A device still does not appear on Microsoft Defender Security Center - -After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`. - -* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. - -If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index b80ba00b38..66707cf26c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -2,10 +2,10 @@ title: Evaluate Microsoft Defender for Endpoint ms.reviewer: description: Evaluate the different security capabilities in Microsoft Defender for Endpoint. -keywords: attack surface reduction, evaluate, next, generation, protection +keywords: attack surface reduction, evaluate, next, generation, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,16 +14,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Evaluate Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) + +[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. You can evaluate Microsoft Defender for Endpoint in your organization by [starting your free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 4fdbaae9b9..24fda19f6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Evaluate attack surface reduction rules description: See how attack surface reduction would block and prevent attacks with the custom demo tool. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate attack surface reduction rules @@ -20,8 +21,10 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows: @@ -39,10 +42,18 @@ Learn how to evaluate attack surface reduction rules by enabling audit mode to t Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use. -To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet: +To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet: ```PowerShell -Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode +``` + +Where `` is a [GUID value of the attack surface reduction rule](attack-surface-reduction.md#attack-surface-reduction-rules). + +To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet: + +```PowerShell +(Get-MpPreference).AttackSurfaceReductionRules_Ids | Foreach {Add-MpPreference -AttackSurfaceReductionRules_Ids $_ -AttackSurfaceReductionRules_Actions AuditMode} ``` > [!TIP] diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index fb1a325c8e..6ae477dd83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -3,7 +3,7 @@ title: Evaluate controlled folder access description: See how controlled folder access can help protect files from being changed by malicious apps. keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,16 +12,19 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate controlled folder access [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. @@ -44,7 +47,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode > [!TIP] > If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). -You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). +You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index a6dcacc047..158be3a882 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -1,9 +1,9 @@ --- -title: See how exploit protection works in a demo +title: See how Exploit protection works in a demo description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps. keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,47 +11,50 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 08/28/2020 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate exploit protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.) -This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur. +Use exploit protection in audit mode to review related events in Event Viewer. By enabling audit mode, you'll see how mitigation works for certain apps in a test environment. Audit mode shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur. > [!TIP] > You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. ## Enable exploit protection in audit mode -You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell. +You can set mitigations in audit mode for specific programs by using the Windows Security app or Windows PowerShell. ### Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app. Select the shield icon in the task bar or search the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply protection to: - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + 1. If the app you want to configure is already listed, select it and then select **Edit** + 2. If the app is not listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app. + - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. -4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process, app, or Windows. -5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ### PowerShell @@ -64,7 +67,7 @@ Set-ProcessMitigation - - : * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. * \: @@ -72,10 +75,10 @@ Where: * `-Disable` to disable the mitigation * \: * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. - +``` |Mitigation | Audit mode cmdlet | |---|---| - |Arbitrary code guard (ACG) | `AuditDynamicCode` | + |Arbitrary Code Guard (ACG) | `AuditDynamicCode` | |Block low integrity images | `AuditImageLoad` |Block untrusted fonts | `AuditFont`, `FontAuditOnly` | |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` | @@ -88,20 +91,20 @@ For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` -You can disable audit mode by replacing `-Enable` with `-Disable`. +You can disable **audit mode** by replacing `-Enable` with `-Disable`. ## Review exploit protection audit events To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log. -|Feature | Provider/source | Event ID | Description | +| Feature | Provider/source | Event ID | Description | |---|---|--|---| - |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit | - |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit | - |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit | - |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit | - |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | - |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | + | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit | + | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit | + | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit | + | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit | + | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | + | Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | ## See also diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md index 1da3fe309f..8be04a87c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md @@ -3,7 +3,7 @@ title: Evaluate network protection description: See how network protection works by testing common scenarios that it protects against. keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,16 +12,16 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate network protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) [Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 64a0179395..608e465720 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -3,7 +3,7 @@ title: Microsoft Defender for Endpoint evaluation lab description: Learn about Microsoft Defender for Endpoint capabilities, run attack simulations, and see how it prevents, detects, and remediates threats. keywords: evaluate mdatp, evaluation, lab, simulation, windows 10, windows server 2019, evaluation lab search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-evalutatemtp + - M365-security-compliance + - m365solution-evalutatemtp ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint evaluation lab @@ -23,7 +24,11 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) + Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. @@ -245,10 +250,10 @@ You can conveniently run any available simulation right from the catalog. Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. **Examples:** -![Image of simulation description details](images/simulation-details-aiq.png) +![Image of simulation description details1](images/simulation-details-aiq.png) -![Image of simulation description details](images/simulation-details-sb.png) +![Image of simulation description details2](images/simulation-details-sb.png) ## Evaluation report diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index a2b75300ee..6fbb30d6e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -4,7 +4,7 @@ description: Get descriptions and further troubleshooting steps (if required) fo keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender for Endpoint service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 05/21/2018 +ms.technology: mde --- @@ -25,10 +26,11 @@ ms.date: 05/21/2018 **Applies to:** - - Event Viewer +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md index 9edcad6d34..e8b667e82c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md @@ -3,7 +3,7 @@ title: View attack surface reduction events description: Import custom views to see attack surface reduction events. keywords: event view, exploit guard, audit, review, events search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,16 +12,18 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # View attack surface reduction events [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index ba855cf88a..79a6fd80df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -4,17 +4,18 @@ keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, expl description: Details on how the exploit protection feature works in Windows 10 search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro -author: appcompatguy -ms.author: cjacks -ms.date: 07/20/2020 -ms.reviewer: -manager: saudm +author: denisebmsft +ms.author: deniseb +ms.date: 01/06/2021 +ms.reviewer: cjacks +manager: dansimp ms.custom: asr +ms.technology: mde --- # Exploit Protection Reference @@ -23,8 +24,10 @@ ms.custom: asr **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Exploit protection provides advanced protections for applications that the IT Pro can apply after the developer has compiled and distributed the software. @@ -223,7 +226,7 @@ Block low integrity images will prevent the application from loading files that ### Description -Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker. +Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker. This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error. @@ -257,7 +260,7 @@ The most common use of fonts outside of the system fonts directory is with [web ### Description -Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. +Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. @@ -275,9 +278,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft. ### Description -Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). +Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). -This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. +This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation. @@ -296,7 +299,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei ### Description -Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. +Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash. @@ -304,7 +307,7 @@ If you attempt to set the instruction pointer to a memory address not marked as All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed. -All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. +All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. ### Configuration options @@ -324,7 +327,7 @@ This includes: ### Compatibility considerations -Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application. +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application. ### Configuration options @@ -341,7 +344,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com ### Compatibility considerations -This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. +This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. ### Configuration options @@ -379,18 +382,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo ### Configuration options -**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules: +**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules: -- mshtml.dll -- flash*.ocx -- jscript*.ocx -- vbscript.dll -- vgx.dll -- mozjs.dll -- xul.dll -- acrord32.dll -- acrofx32.dll -- acroform.api +- `mshtml.dll` +- `flash*.ocx` +- `jscript*.ocx` +- `vbscript.dll` +- `vgx.dll` +- `mozjs.dll` +- `xul.dll` +- `acrord32.dll` +- `acrofx32.dll` +- `acroform.api` Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. @@ -400,7 +403,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t ### Description -Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. +Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect. @@ -427,31 +430,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs. This mitigation protects the following Windows APIs: -- GetProcAddress -- GetProcAddressForCaller -- LoadLibraryA -- LoadLibraryExA -- LoadLibraryW -- LoadLibraryExW -- LdrGetProcedureAddress -- LdrGetProcedureAddressEx -- LdrGetProcedureAddressForCaller -- LdrLoadDll -- VirtualProtect -- VirtualProtectEx -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- NtProtectVirtualMemory -- CreateProcessA -- CreateProcessW -- WinExec -- CreateProcessAsUserA -- CreateProcessAsUserW -- GetModuleHandleA -- GetModuleHandleW -- RtlDecodePointer -- DecodePointer +- `GetProcAddress` +- `GetProcAddressForCaller` +- `LoadLibraryA` +- `LoadLibraryExA` +- `LoadLibraryW` +- `LoadLibraryExW` +- `LdrGetProcedureAddress` +- `LdrGetProcedureAddressEx` +- `LdrGetProcedureAddressForCaller` +- `LdrLoadDll` +- `VirtualProtect` +- `VirtualProtectEx` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `NtProtectVirtualMemory` +- `CreateProcessA` +- `CreateProcessW` +- `WinExec` +- `CreateProcessAsUserA` +- `CreateProcessAsUserW` +- `GetModuleHandleA` +- `GetModuleHandleW` +- `RtlDecodePointer` +- `DecodePointer` ### Compatibility considerations @@ -471,7 +474,7 @@ The size of the 32-bit address space places practical constraints on the entropy ### Compatibility considerations -Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). +Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). ### Configuration options @@ -488,40 +491,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` If a ROP gadget is detected, the process is terminated. @@ -543,40 +546,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` If a ROP gadget is detected, the process is terminated. @@ -594,7 +597,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Description -Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. +Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that: @@ -619,7 +622,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic ### Description -*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). +*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). This mitigation is automatically applied to Windows Store applications. @@ -639,7 +642,7 @@ Applications that were not accurately tracking handle references, and which were The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include: - Preventing a HEAP handle from being freed -- Performing additional validation on extended block headers for heap allocations +- Performing another validation on extended block headers for heap allocations - Verifying that heap allocations are not already flagged as in-use - Adding guard pages to large allocations, heap segments, and subsegments above a minimum size @@ -672,48 +675,48 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution. -This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. +This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` ### Compatibility considerations -Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index b2ad6f832b..60c5bce436 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -3,7 +3,7 @@ title: Apply mitigations to help prevent attacks through vulnerabilities keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet description: Protect devices against exploits with Windows 10. Windows 10 has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET). search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Protect devices from exploits @@ -23,8 +24,10 @@ ms.custom: asr **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 4bbd942ec8..ca1f1ea37e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -1,10 +1,10 @@ --- -title: Use Microsoft Defender for Endpoint APIs +title: Use Microsoft Defender for Endpoint APIs ms.reviewer: description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use Microsoft Defender for Endpoint APIs @@ -22,9 +23,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] This page describes how to create an application to get programmatic access to Defender for Endpoint on behalf of a user. @@ -50,18 +56,30 @@ This page explains how to create an AAD application, get an access token to Micr ## Create an app -1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role. +1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role. 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png) -3. In the registration from, enter the following information then select **Register**. +3. When the **Register an application** page appears, enter your application's registration information: - ![Image of Create application window](images/nativeapp-create2.png) + - **Name** - Enter a meaningful application name that will be displayed to users of the app. + - **Supported account types** - Select which accounts you would like your application to support. - - **Name:** -Your application name- - - **Application type:** Public client + | Supported account types | Description | + |-------------------------|-------------| + | **Accounts in this organizational directory only** | Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory.

        This option maps to Azure AD only single-tenant.

        This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. | + | **Accounts in any organizational directory** | Select this option if you would like to target all business and educational customers.

        This option maps to an Azure AD only multi-tenant.

        If you registered the app as Azure AD only single-tenant, you can update it to be Azure AD multi-tenant and back to single-tenant through the **Authentication** blade. | + | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.

        This option maps to Azure AD multi-tenant and personal Microsoft accounts.

        If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types. | + + - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application. + - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. + - For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as `myapp://auth`. + + To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts). + + When finished, select **Register**. 4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission: @@ -115,9 +133,9 @@ For more information on AAD tokens, see [Azure AD tutorial](https://docs.microso public static class WindowsDefenderATPUtils { - private const string Authority = "https://login.windows.net"; + private const string Authority = "https://login.microsoftonline.com"; - private const string WdatpResourceId = "https://api.securitycenter.windows.com"; + private const string WdatpResourceId = "https://api.securitycenter.microsoft.com"; public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId) { @@ -163,7 +181,7 @@ Verify to make sure you got a correct token: ```csharp var httpClient = new HttpClient(); - var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts"); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md index e2de608fbd..664f1c63be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md @@ -1,10 +1,10 @@ --- -title: Create an Application to access Microsoft Defender for Endpoint without a user +title: Create an Application to access Microsoft Defender for Endpoint without a user ms.reviewer: description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Partner access through Microsoft Defender for Endpoint APIs @@ -22,9 +23,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) This page describes how to create an Azure Active Directory (Azure AD) application to get programmatic access to Microsoft Defender for Endpoint on behalf of your customers. @@ -139,8 +145,8 @@ $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here $appSecret = '' ### Paste your Application key here -$resourceAppIdUri = 'https://api.securitycenter.windows.com' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$resourceAppIdUri = 'https://api.securitycenter.microsoft.com' +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -172,8 +178,8 @@ return $token string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! - const string authority = "https://login.windows.net"; - const string wdatpResourceId = "https://api.securitycenter.windows.com"; + const string authority = "https://login.microsoftonline.com"; + const string wdatpResourceId = "https://api.securitycenter.microsoft.com"; AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); ClientCredential clientCredential = new ClientCredential(appId, appSecret); @@ -227,7 +233,7 @@ Sanity check to make sure you got a correct token: ``` var httpClient = new HttpClient(); - var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts"); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index a7584847f9..3118860e56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create an app to access Microsoft Defender for Endpoint without a user @@ -22,10 +23,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + This page describes how to create an application to get programmatic access to Defender for Endpoint without a user. If you need programmatic access to Defender for Endpoint on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md). Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). @@ -117,8 +122,8 @@ $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here $appSecret = '' ### Paste your Application key here -$resourceAppIdUri = 'https://api.securitycenter.windows.com' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$resourceAppIdUri = 'https://api.securitycenter.microsoft.com' +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -150,8 +155,8 @@ The following code was tested with NuGet Microsoft.IdentityModel.Clients.ActiveD string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! - const string authority = "https://login.windows.net"; - const string wdatpResourceId = "https://api.securitycenter.windows.com"; + const string authority = "https://login.microsoftonline.com"; + const string wdatpResourceId = "https://api.securitycenter.microsoft.com"; AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); ClientCredential clientCredential = new ClientCredential(appId, appSecret); @@ -204,7 +209,7 @@ The following is an example of sending a request to get a list of alerts **using ``` var httpClient = new HttpClient(); - var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts"); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 31142c2936..e2ceff454e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use these code samples, querying several Microsoft Defender for Endpoint APIs. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/24/2018 +ms.technology: mde --- # Microsoft Defender for Endpoint APIs using PowerShell [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Full scenario using multiple APIs from Microsoft Defender for Endpoint. @@ -63,7 +70,7 @@ $appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret $suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here $resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -75,7 +82,7 @@ $aadToken = $authResponse.access_token #Get latest alert -$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10" +$alertUrl = "https://api.securitycenter.microsoft.com/api/alerts?`$top=10" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' @@ -108,7 +115,7 @@ $query = "NetworkCommunicationEvents | where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" -$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run" +$queryUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries/run" $queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query } $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index 785ac39e0d..4bca78843c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -1,10 +1,10 @@ --- -title: Supported Microsoft Defender for Endpoint APIs +title: Supported Microsoft Defender for Endpoint APIs ms.reviewer: -description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. +description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. keywords: apis, supported apis, actor, alerts, device, user, domain, ip, file, advanced queries, advanced hunting search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Supported Microsoft Defender for Endpoint APIs @@ -22,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) @@ -30,9 +31,9 @@ ms.topic: article ### Endpoint URI: -> The service base URI is: https://api.securitycenter.windows.com +> The service base URI is: https://api.securitycenter.microsoft.com > -> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts +> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.microsoft.com/api/alerts ### Versioning: @@ -40,9 +41,14 @@ ms.topic: article > > The current version is **V1.0**. > -> To use a specific version, use this format: `https://api.securitycenter.windows.com/api/{Version}`. For example: `https://api.securitycenter.windows.com/api/v1.0/alerts` +> To use a specific version, use this format: `https://api.securitycenter.microsoft.com/api/{Version}`. For example: `https://api.securitycenter.microsoft.com/api/v1.0/alerts` > -> If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. +> If you don't specify any version (e.g. https://api.securitycenter.microsoft.com/api/alerts ) you will get to the latest version. + + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index b4a487ffbe..1f9f6cb3b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint. keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,33 +13,39 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # OData queries with Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) Not all properties are filterable. -## Properties that supports $filter: - +## Properties that support $filter: +``` - [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```. - [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```. - [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```. - [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```. - +``` ### Example 1 -Get 10 latest Alerts with related Evidence +Get 10 latest Alerts with related Evidence: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence @@ -52,75 +58,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -130,13 +112,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, @@ -147,17 +190,17 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev ### Example 2 -Get all the alerts last updated after 2019-11-22 00:00:00 +Get all the alerts last updated after 2019-11-22 00:00:00: ```http -HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z +HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z ``` **Response:** ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { "id": "da637308392288907382_-880718168", @@ -183,6 +226,12 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" @@ -203,38 +252,52 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi ### Example 3 -Get all the devices with 'High' 'RiskScore' +Get all the devices with 'High' 'RiskScore': ```http -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High' +HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High' ``` **Response:** ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "High", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -242,38 +305,52 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+ ### Example 4 -Get top 100 devices with 'HealthStatus' not equals to 'Active' +Get top 100 devices with 'HealthStatus' not equals to 'Active': ```http -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 +HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 ``` **Response:** ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -281,38 +358,52 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat ### Example 5 -Get all the devices that last seen after 2018-10-20 +Get all the devices that last seen after 2018-10-20: ```http -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z +HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z ``` **Response:** ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -320,17 +411,17 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g ### Example 6 -Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint: ```http -HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' +HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' ``` **Response:** ```json json{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", @@ -355,7 +446,7 @@ json{ Get the count of open alerts for a specific device: ```http -HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved' +HTTP GET https://api.securitycenter.microsoft.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved' ``` **Response:** @@ -364,5 +455,58 @@ HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415 4 ``` +### Example 8 + +Get all the devices with 'computerDnsName' starting with 'mymachine': + +```http +HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=startswith(computerDnsName,'mymachine') +``` + +**Response:** + +```json +json{ + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", + "osProcessor": "x64", + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, + ... + ] +} +``` + ## See also - [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md index b5ac0c1ea5..49256a6cd9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -8,14 +8,15 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: +ms.technology: mde --- # Feedback-loop blocking @@ -24,8 +25,7 @@ ms.collection: **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ## Overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md index a4f175566c..97b76caa30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md @@ -4,7 +4,7 @@ description: Learn how to fetch alerts from a customer tenant keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,22 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Fetch alerts from MSSP customer tenant [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) - >[!NOTE] >This action is taken by the MSSP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 6289c8645b..eb0cf41168 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -3,7 +3,7 @@ title: File resource type description: Retrieve recent Microsoft Defender for Endpoint alerts related to files. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # File resource type @@ -21,10 +22,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + Represent a file entity in Defender for Endpoint. ## Methods diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md deleted file mode 100644 index 0d640fa36f..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Find device information by internal IP API -description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP. -keywords: ip, apis, graph api, supported apis, find device, device information -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Find device information by internal IP API - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -Find a device by internal IP. - ->[!NOTE] ->The timestamp must be within the last 30 days. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Machine.Read.All | 'Read all machine profiles' -Application | Machine.ReadWrite.All | 'Read and write all machine information' - -## HTTP request -``` -GET /api/machines/find(timestamp={time},key={IP}) -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and machine exists - 200 OK. -If no machine found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - -The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", - "value": [ - { - "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", - "computerDnsName": "", - "firstSeen": "2017-07-06T01:25:04.9480498Z", - "osPlatform": "Windows10", -… -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 3db35c6164..091e9c45de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -1,9 +1,9 @@ --- title: Find devices by internal IP API -description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp keywords: apis, graph api, supported apis, get, device, IP, find, find device, by ip, ip search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Find devices by internal IP API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -75,8 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request. Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) +```http +GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md new file mode 100644 index 0000000000..a16e71db5b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -0,0 +1,89 @@ +--- +title: Find devices by tag API +description: Find all devices that contain specifc tag +keywords: apis, supported apis, get, device, find, find device, by tag, tag +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Find devices by tag API + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Find [Machines](machine.md) by [Tag](machine-tags.md). +
        ```startswith``` query is supported. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) + +## HTTP request +``` +GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +tag | String | The tag name. **Required**. +useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**. + +## Request body +Empty + +## Response +If successful - 200 OK with list of the machines in the response body. + +## Example + +**Request** + +Here is an example of the request. + +```http +GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index ce92f63d99..301115a087 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -4,7 +4,7 @@ description: Fix device sensors that are reporting as misconfigured or inactive keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/06/2020 +ms.technology: mde --- # Fix unhealthy sensors in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index 14a50992e6..097719cb86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -3,7 +3,7 @@ title: Get alert information by ID API description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert information by ID API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -36,7 +41,7 @@ Retrieves specific [Alert](alerts.md) by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index e9d18d97e7..d533b2e0e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related domains information +title: Get alert related domains information description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related domain information API -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + ## API description Retrieves all domains related to a specific alert. @@ -72,21 +75,17 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains +```http +GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains", + "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains", "value": [ { "host": "www.example.com" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 6e61e17504..aa0fc830ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related files information +title: Get alert related files information description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related files information API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -**Applies to:** [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -72,10 +79,8 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files +```http +GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ``` **Response** @@ -83,11 +88,9 @@ GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files", "value": [ { "sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 62db50d08a..25ea5e8fcf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related IPs information +title: Get alert related IPs information description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related IPs information API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -73,10 +80,8 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips +```http +GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ``` **Response** @@ -84,11 +89,9 @@ GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips", + "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips", "value": [ { "id": "104.80.104.128" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 98f64ac8d1..38461117ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related machine information +title: Get alert related machine information description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related device search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related machine information API @@ -21,9 +22,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -51,7 +59,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request -``` + +```http GET /api/alerts/{id}/machine ``` @@ -74,11 +83,8 @@ If successful and alert and device exist - 200 OK. If alert not found or device Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - -``` -GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine +```http +GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ``` **Response** @@ -86,28 +92,39 @@ GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index 3e96ce7383..fb06d75de7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related user information +title: Get alert related user information description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alert, information, related, user search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related user information API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -73,11 +80,8 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - -``` -GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user +```http +GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ``` **Response** @@ -85,11 +89,9 @@ GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "contoso\\user1", "accountName": "user1", "accountDomain": "contoso", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index a7c825d739..20bd761327 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -3,7 +3,7 @@ title: List alerts API description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List alerts API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -83,13 +90,10 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts ``` -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - **Response** Here is an example of the response. @@ -126,6 +130,12 @@ Here is an example of the response. "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" @@ -150,7 +160,7 @@ Here is an example of the response. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ``` @@ -168,75 +178,51 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -246,13 +232,74 @@ Here is an example of the response. "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index a5cde6e4a0..21b2e1ebd9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -1,9 +1,9 @@ --- title: List all recommendations description: Retrieves a list of all security recommendations affecting the organization. -keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List all recommendations @@ -22,6 +23,14 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] [!include[Prerelease information](../../includes/prerelease.md)] @@ -60,8 +69,8 @@ If successful, this method returns 200 OK with the list of security recommendati Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/recommendations +```http +GET https://api.securitycenter.microsoft.com/api/recommendations ``` **Response** @@ -71,7 +80,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ { "id": "va-_-microsoft-_-windows_10", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index f2de05191d..0bb2f8a653 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -3,7 +3,7 @@ title: Get all vulnerabilities by machine and software description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,16 +12,25 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities by machine and software [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md). - If the vulnerability has a fixing KB, it will appear in the response. @@ -64,8 +73,8 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities +```http +GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ``` **Response** @@ -75,7 +84,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)", "value": [ { "id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index 9847c928d4..1acf21401e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -3,7 +3,7 @@ title: Get all vulnerabilities description: Retrieves a list of all the vulnerabilities affecting the organization keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities @@ -22,6 +23,13 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] [!include[Prerelease information](../../includes/prerelease.md)] @@ -60,8 +68,8 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Vulnerabilities +```http +GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ``` **Response** @@ -71,7 +79,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", "value": [ { "id": "CVE-2019-0608", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index 7a5a5aacb3..2fe3ae2a8b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -4,7 +4,7 @@ description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's keywords: apis, graph api, supported apis, get, cve, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ROBOTS: NOINDEX +ms.technology: mde --- # Get CVE-KB map API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Retrieves a map of CVE's to KB's and CVE details. @@ -56,18 +62,15 @@ If successful and map exists - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", "@odata.count": 4168, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index e14a6859a7..fc18d97935 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -3,7 +3,7 @@ title: Get device secure score description: Retrieves the organizational device secure score. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,28 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get device secure score [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. ## Permissions @@ -62,8 +71,8 @@ If successful, this method returns 200 OK, with the device secure score data in Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/configurationScore +```http +GET https://api.securitycenter.microsoft.com/api/configurationScore ``` ### Response @@ -75,7 +84,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ConfigurationScore/$entity", "time": "2019-12-03T09:15:58.1665846Z", "score": 340 } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 5b16a71cfc..54078f8925 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -3,7 +3,7 @@ title: Get discovered vulnerabilities description: Retrieves a collection of discovered vulnerabilities related to a given device ID. keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,20 +12,31 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get discovered vulnerabilities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + +## API description Retrieves a collection of discovered vulnerabilities related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -61,17 +72,17 @@ If successful, this method returns 200 OK with the discovered vulnerability info Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities +```http +GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities ``` ### Response Here is an example of the response. -``` +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ { "id": "CVE-2019-1348", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index 26fdbad6f4..3721566568 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -1,9 +1,9 @@ --- -title: Get domain related alerts API +title: Get domain-related alerts API description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Get domain related alerts API +# Get domain-related alerts API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -74,8 +80,6 @@ If successful and domain exists - 200 OK with list of [alert](alerts.md) entitie Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ```http -GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts +GET https://api.securitycenter.microsoft.com/api/domains/client.wns.windows.com/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index bda2a9024c..14b95f8007 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -3,7 +3,7 @@ title: Get domain related machines API description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, related, devices search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get domain related machines API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -36,7 +42,7 @@ Retrieves a collection of [Machines](machine.md) that have communicated to or fr ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -75,9 +81,6 @@ If successful and domain exists - 200 OK with list of [machine](machine.md) enti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - ```http -GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines +GET https://api.securitycenter.microsoft.com/api/domains/api.securitycenter.microsoft.com/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index cb49efb465..a8aa5990dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -3,7 +3,7 @@ title: Get domain statistics API description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, domain related devices search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get domain statistics API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -57,6 +63,11 @@ Header | Value :---|:--- Authorization | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -71,10 +82,8 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/domains/example.com/stats +```http +GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` **Response** @@ -82,11 +91,9 @@ GET https://api.securitycenter.windows.com/api/domains/example.com/stats Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com", "orgPrevalence": "4070", "orgFirstSeen": "2017-07-30T13:23:48Z", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index 43d7ac20e9..2d3c69d629 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -3,7 +3,7 @@ title: Get exposure score description: Retrieves the organizational exposure score. keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get exposure score [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -64,8 +71,8 @@ If successful, this method returns 200 OK, with the exposure data in the respons Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/exposureScore +```http +GET https://api.securitycenter.microsoft.com/api/exposureScore ``` ### Response @@ -77,7 +84,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore/$entity", "time": "2019-12-03T07:23:53.280499Z", "score": 33.491554051195706 } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 61ab343580..ee1527e69b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -3,7 +3,7 @@ title: Get file information API description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get file information API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -71,10 +77,8 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 +```http +GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` **Response** @@ -82,11 +86,9 @@ GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c01 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity", "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462", "globalPrevalence": 180022, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index d1c53228ac..0c29cd245d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -1,9 +1,9 @@ --- -title: Get file related alerts API -description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender for Endpoint. +title: Get file-related alerts API +description: Learn how to use the Get file-related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, hash search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Get file related alerts API +# Get file-related alerts API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -65,7 +71,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file do not exist - 404 Not Found. +If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file does not exist - 404 Not Found. ## Example @@ -74,8 +80,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts +```http +GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index c60f272c69..f69053927b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -1,9 +1,9 @@ --- -title: Get file related machines API -description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender for Endpoint. +title: Get file-related machines API +description: Learn how to use the Get file-related machines API to get a collection of machines related to a file hash in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, devices, hash search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Get file related machines API +# Get file-related machines API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -65,7 +71,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file do not exist - 404 Not Found. +If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file does not exist - 404 Not Found. ## Example @@ -74,8 +80,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines +```http +GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 59f525f594..cc1e435b61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -3,7 +3,7 @@ title: Get file statistics API description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, statistics search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get file statistics API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -57,6 +63,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -71,10 +82,8 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats +```http +GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` **Response** @@ -82,11 +91,9 @@ GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", "orgPrevalence": "14850", "orgFirstSeen": "2019-12-07T13:44:16Z", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 293d458f27..45f23bcd3e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -3,7 +3,7 @@ title: Get installed software description: Retrieves a collection of installed software related to a given device ID. keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get installed software @@ -22,6 +23,14 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + [!include[Prerelease information](../../includes/prerelease.md)] @@ -60,8 +69,8 @@ If successful, this method returns 200 OK with the installed software informatio Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software +```http +GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` **Response** @@ -71,7 +80,7 @@ Here is an example of the response. ``` { -"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software", +"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software", "value": [ { "id": "microsoft-_-internet_explorer", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index 296f7c81ce..108d89871f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -3,7 +3,7 @@ title: List Investigations API description: Use this API to create calls related to get Investigations collection keywords: apis, graph api, supported apis, Investigations collection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List Investigations API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -54,7 +60,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/investigations +GET https://api.securitycenter.microsoft.com/api/investigations ``` ## Request headers @@ -71,30 +77,23 @@ Empty If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - ## Example **Request** Here is an example of a request to get all investigations: - ``` -GET https://api.securitycenter.windows.com/api/investigations +GET https://api.securitycenter.microsoft.com/api/investigations ``` **Response** Here is an example of the response: - -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Investigations", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations", "value": [ { "id": "63017", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md index 6953ccabba..561c68ac0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md @@ -3,7 +3,7 @@ title: Get Investigation object API description: Use this API to create calls related to get Investigation object keywords: apis, graph api, supported apis, Investigation object search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get Investigation API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Retrieves specific [Investigation](investigation.md) by its ID. @@ -50,7 +57,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/investigations/{id} +GET https://api.securitycenter.microsoft.com/api/investigations/{id} ``` ## Request headers diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index 6d078cbf15..8c6690d917 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -3,7 +3,7 @@ title: Get IP related alerts API description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get IP related alerts API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Retrieves a collection of alerts related to a given IP address. @@ -74,9 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - -``` -GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts +```http +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index b58fd359e9..c3c0b129df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -3,7 +3,7 @@ title: Get IP statistics API description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,28 +12,31 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get IP statistics API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Retrieves the statistics for the given IP. - ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -42,12 +45,13 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' ->[!Note] +>[!NOTE] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request -``` + +```http GET /api/ips/{ip}/stats ``` @@ -57,6 +61,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -71,10 +80,8 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats +```http +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ``` **Response** @@ -82,14 +89,22 @@ GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177", "orgPrevalence": "63515", "orgFirstSeen": "2017-07-30T13:36:06Z", "orgLastSeen": "2017-08-29T13:32:59Z" } ``` + + +| Name | Description | +| :--- | :---------- | +| Org prevalence | the distinct count of devices that opened network connection to this IP. | +| Org first seen | the first connection for this IP in the organization. | +| Org last seen | the last connection for this IP in the organization. | + +> [!NOTE] +> This statistic information is based on data from the past 30 days. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index e7ac39a93c..a2bdfc279e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -4,7 +4,7 @@ description: Retrieve a collection of knowledge bases (KB's) and KB details with keywords: apis, graph api, supported apis, get, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ROBOTS: NOINDEX +ms.technology: mde --- # Get KB collection API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Retrieves a collection of KB's and KB details. @@ -56,18 +62,15 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", "@odata.count": 271, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 30fd9d4263..d590669188 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -3,7 +3,7 @@ title: Get machine by ID API description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, devices, entity, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machine by ID API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -36,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). Permission type | Permission | Permission display name :---|:---|:--- @@ -77,10 +82,8 @@ If machine with the specified ID was not found - 404 Not Found. Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ```http -GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 +GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 ``` **Response** @@ -88,29 +91,39 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } - ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index 112ed575be..cc1ab0b0a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -3,7 +3,7 @@ title: List exposure score by device group description: Retrieves a list of exposure scores by device group. keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List exposure score by device group @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -64,8 +70,8 @@ If successful, this method returns 200 OK, with a list of exposure score per dev Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups +```http +GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ``` ### Response @@ -75,7 +81,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore", "value": [ { "time": "2019-12-03T09:51:28.214338Z", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 137fc569cc..965e6713b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -3,7 +3,7 @@ title: Get machine logon users API description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, device, log on, users search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machine logon users API @@ -21,10 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + ## API description Retrieves a collection of logged on users on a specific device. @@ -73,10 +78,8 @@ If successful and device exists - 200 OK with list of [user](user.md) entities i Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ```http -GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers ``` **Response** @@ -84,11 +87,9 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ { "id": "contoso\\user1", @@ -97,8 +98,6 @@ Content-type: application/json "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922", "firstSeen": "2019-12-18T08:02:54Z", "lastSeen": "2020-01-06T08:01:48Z", - "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62", - "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62", "logonTypes": "Interactive", "logOnMachinesCount": 8, "isDomainAdmin": true, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index 49e6162ab5..8117a68e72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -3,7 +3,7 @@ title: Get machine related alerts API description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, devices, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machine related alerts API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index dc294c9002..1f10ff8352 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -3,7 +3,7 @@ title: Get MachineAction object API description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, machineaction object search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machineAction API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -50,7 +55,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/machineactions/{id} +GET https://api.securitycenter.microsoft.com/api/machineactions/{id} ``` ## Request headers @@ -72,10 +77,8 @@ If successful, this method returns 200, Ok response code with a [Machine Action] Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba +```http +GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` **Response** @@ -83,11 +86,9 @@ GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208 Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "Isolate", "scope": "Selective", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 026a5fe161..5e58b291ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -3,7 +3,7 @@ title: List machineActions API description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List MachineActions API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -54,7 +59,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/machineactions +GET https://api.securitycenter.microsoft.com/api/machineactions ``` ## Request headers @@ -77,10 +82,8 @@ If successful, this method returns 200, Ok response code with a collection of [m Here is an example of the request on an organization that has three MachineActions. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/machineactions +```http +GET https://api.securitycenter.microsoft.com/api/machineactions ``` **Response** @@ -88,11 +91,9 @@ GET https://api.securitycenter.windows.com/api/machineactions Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", @@ -147,20 +148,18 @@ Content-type: application/json Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. ``` -GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 +GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 ``` **Response** Here is an example of the response. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ``` HTTP/1.1 200 Ok Content-type: application/json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md deleted file mode 100644 index 93f27a6093..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Get RBAC machine groups collection API -description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection. -keywords: apis, graph api, supported apis, get, RBAC, group -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: leonidzh -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 10/07/2018 ---- - -# Get KB collection API - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** - -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -Retrieves a collection of RBAC device groups. - -## Permissions -User needs read permissions. - -## HTTP request -``` -GET /testwdatppreview/machinegroups -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content type | application/json - -## Request body -Empty - -## Response -If successful - 200 OK. - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machinegroups -Content-type: application/json -``` - -**Response** - -Here is an example of the response. -Field id contains device group **id** and equal to field **rbacGroupId** in devices info. -Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup". - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups", - "@odata.count":7, - "value":[ - { - "id":86, - "name":"UnassignedGroup", - "description":"", - "ungrouped":true}, - … -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index 7490907216..9848b03416 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -3,7 +3,7 @@ title: List devices by software description: Retrieve a list of devices that has this software installed. keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List devices by software @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK and a list of devices with the softwar Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences +```http +GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ``` **Response** @@ -70,9 +76,8 @@ GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machine Here is an example of the response. ```json - { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ { "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index bbd94f8b8d..9960369441 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -3,7 +3,7 @@ title: List devices by vulnerability description: Retrieves a list of devices affected by a vulnerability. keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,17 +12,23 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List devices by vulnerability [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences +```http +GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ``` **Response** @@ -72,7 +78,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ { "id": "235a2e6278c63fcf85bab9c370396972c58843de", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index aef7e2789a..f003837b6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -3,7 +3,7 @@ title: List machines API description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud. keywords: apis, graph api, supported apis, get, devices search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List machines API @@ -21,16 +22,23 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud. -
        Supports [OData V4 queries](https://www.odata.org/documentation/). -
        The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. -
        See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) + +Supports [OData V4 queries](https://www.odata.org/documentation/). + +The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. + +See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md). ## Limitations @@ -50,13 +58,13 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information). +>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md). ## HTTP request ```http -GET https://api.securitycenter.windows.com/api/machines +GET https://api.securitycenter.microsoft.com/api/machines ``` ## Request headers @@ -79,43 +87,52 @@ If successful and machines exists - 200 OK with list of [machine](machine.md) en Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - ```http -GET https://api.securitycenter.windows.com/api/machines +GET https://api.securitycenter.microsoft.com/api/machines ``` **Response** Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - } + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index aba82de482..55e5926931 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -4,7 +4,7 @@ description: Retrieve a collection of device security states using Microsoft Def keywords: apis, graph api, supported apis, get, device, security, state search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde --- # Get Machines security states collection API @@ -22,9 +23,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Retrieves a collection of devices security states. @@ -55,9 +60,8 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json ``` **Response** @@ -65,9 +69,7 @@ Content-type: application/json Here is an example of the response. Field *id* contains device id and equal to the field *id** in devices info. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", "@odata.count":444, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 52846f5bdf..6ea30bfe12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -3,7 +3,7 @@ title: Get missing KBs by device ID description: Retrieves missing security updates by device ID keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get missing KBs by device ID @@ -21,11 +22,19 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Retrieves missing KBs (security updates) by device ID +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + +## API description +Retrieves missing KBs (security updates) by device ID. + +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. ## HTTP request @@ -53,8 +62,8 @@ If successful, this method returns 200 OK, with the specified device missing kb Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs +```http +GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ``` ### Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index 21506f3767..1dc5c674fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -3,7 +3,7 @@ title: Get missing KBs by software ID description: Retrieves missing security updates by software ID keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get missing KBs by software ID @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves missing KBs (security updates) by software ID @@ -62,8 +68,8 @@ If successful, this method returns 200 OK, with the specified software missing k Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs +```http +GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ``` ### Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index ffd04c4f62..4f1ac453b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -3,7 +3,7 @@ title: Get package SAS URI API description: Use this API to get a URI that allows downloading an investigation package. keywords: apis, graph api, supported apis, get package, sas, uri search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get package SAS URI API @@ -21,9 +22,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -45,7 +50,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri +GET https://api.securitycenter.microsoft.com/api/machineactions/{machine action id}/getPackageUri ``` ## Request headers @@ -68,24 +73,17 @@ If successful, this method returns 200, Ok response code with object that holds Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - +```http +GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri ``` **Response** Here is an example of the response. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - -``` -HTTP/1.1 200 Ok -Content-type: application/json - +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index ef3203f244..f387acb401 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -1,9 +1,9 @@ --- title: Get recommendation by Id description: Retrieves a security recommendation by its ID. -keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,22 +12,30 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get recommendation by ID [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a security recommendation by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- @@ -59,8 +67,8 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome +```http +GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ``` **Response** @@ -69,7 +77,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations/$entity", "id": "va-_-google-_-chrome", "productName": "chrome", "recommendationName": "Update Chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 079ab2c449..51e132bc98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,9 +1,9 @@ --- title: List devices by recommendation -description: Retrieves a list of devices associated with the security recommendation. -keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api +description: Retrieves a list of devices associated with the security recommendation. +keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,17 +12,23 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List devices by recommendation [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK with the list of devices associated wi Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences +```http +GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ``` **Response** @@ -71,7 +77,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ { "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index 0656c420e8..4bd6667873 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -1,9 +1,9 @@ --- title: Get recommendation by software description: Retrieves a security recommendation related to a specific software. -keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,17 +12,23 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get recommendation by software [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK with the software associated with the Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software +```http +GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ``` **Response** @@ -71,7 +77,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto", "id": "google-_-chrome", "name": "chrome", "vendor": "google", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 95b525bf6b..9369763a13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -1,9 +1,9 @@ --- title: List vulnerabilities by recommendation description: Retrieves a list of vulnerabilities associated with the security recommendation. -keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,17 +12,23 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities by recommendation [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities +```http +GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ``` **Response** @@ -71,7 +77,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ { "id": "CVE-2019-13748", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 91a19e9c18..ad4bf78d93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -3,7 +3,7 @@ title: Get security recommendations description: Retrieves a collection of security recommendations related to a given device ID. keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,22 +12,31 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get security recommendations [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] [!include[Prerelease information](../../includes/prerelease.md)] +## API description Retrieves a collection of security recommendations related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -61,8 +70,8 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations +```http +GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ``` **Response** @@ -70,9 +79,9 @@ GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf442 Here is an example of the response. -``` +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ { "id": "va-_-git-scm-_-git", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index 07550126c1..02fc552fb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,9 +1,9 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by device group. +description: Retrieves a list of sofware by ID. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get software by Id @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK with the specified software data in th Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge +```http +GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ``` **Response** @@ -70,9 +76,8 @@ GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge Here is an example of the response. ```json - { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge", "name": "edge", "vendor": "microsoft", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index 7ae8324de9..160a0a15ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -1,9 +1,9 @@ --- -title: List software version distribution -description: Retrieves a list of your organization's software version distribution +title: List software version distribution +description: Retrieves a list of your organization's software version distribution keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List software version distribution @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -61,8 +67,8 @@ If successful, this method returns 200 OK with a list of software distributions Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions +```http +GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ``` **Response** @@ -70,9 +76,8 @@ GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distrib Here is an example of the response. ```json - { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions", "value": [ { "version": "11.0.17134.1039", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 6a02de62a0..efa72bf72c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -3,7 +3,7 @@ title: List software description: Retrieves a list of software inventory keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List software inventory API @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves the organization software inventory. @@ -60,8 +66,8 @@ If successful, this method returns 200 OK with the software inventory in the bod Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Software +```http +GET https://api.securitycenter.microsoft.com/api/Software ``` **Response** @@ -71,7 +77,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software", "value": [ { "id": "microsoft-_-edge", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 3ab82897fa..d001d2e89f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -1,11 +1,11 @@ --- -title: Become a Microsoft Defender ATP partner +title: Become a Microsoft Defender for Endpoint partner ms.reviewer: description: Learn the steps and requirements to integrate your solution with Microsoft Defender ATP and be a partner keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Become a Microsoft Defender for Endpoint partner @@ -24,7 +25,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps. @@ -40,24 +41,26 @@ Once the Microsoft Defender for Endpoint team has reviewed and approves the inte [Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products. ## Step 4: Get listed in the Microsoft Defender for Endpoint partner application portal -Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal. +Microsoft Defender for Endpoint supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal. To have your company listed as a partner in the in-product partner page, you will need to provide the following information: 1. A square logo (SVG). 2. Name of the product to be presented. 3. Provide a 15-word product description. -4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done. +4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done. 5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application. 6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). + Follow these steps: - 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP-integrated product with the version of the product that includes this integration. - - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}` - - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` - - 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` + + - Set the User-Agent field in each HTTP request header to the below format. + - `MdePartner-{CompanyName}-{ProductName}/{Version}` + + - For example, User-Agent: `MdePartner-Contoso-ContosoCognito/1.0.0` + + - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index ea42bf22ac..c2b55547ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -3,7 +3,7 @@ title: List Indicators API description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection. keywords: apis, public api, supported apis, Indicators collection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List Indicators API @@ -21,10 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + ## API description Retrieves a collection of all active [Indicators](ti-indicator.md). @@ -48,11 +53,9 @@ Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' ## HTTP request ``` -GET https://api.securitycenter.windows.com/api/indicators +GET https://api.securitycenter.microsoft.com/api/indicators ``` -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ## Request headers Name | Type | Description @@ -75,19 +78,17 @@ If successful, this method returns 200, Ok response code with a collection of [I Here is an example of a request that gets all Indicators -``` -GET https://api.securitycenter.windows.com/api/indicators +```http +GET https://api.securitycenter.microsoft.com/api/indicators ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ { "id": "995", @@ -138,19 +139,17 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action -``` -GET https://api.securitycenter.windows.com/api/indicators?$filter=action+eq+'AlertAndBlock' +```http +GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ { "id": "997", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index bc5b69d9cd..ecbc146a9e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -3,7 +3,7 @@ title: Get user information API description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, user, user information search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,16 +12,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get user information API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Retrieve a User entity by key (user name). @@ -58,11 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body. Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/users/user1 -Content-type: application/json +```http +GET https://api.securitycenter.microsoft.com/api/users/user1 ``` **Response** @@ -70,11 +73,9 @@ Content-type: application/json Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "user1", "firstSeen": "2018-08-02T00:00:00Z", "lastSeen": "2018-08-04T00:00:00Z", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index b6282b18f3..782f1f620c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -3,7 +3,7 @@ title: Get user-related alerts API description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get user-related alerts API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Retrieves a collection of alerts related to a given user ID. @@ -76,8 +82,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/users/user1/alerts +```http +GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 33fbf7f79a..e726dab081 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -3,7 +3,7 @@ title: Get user-related machines API description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get user-related machines API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Retrieves a collection of devices related to a given user ID. @@ -77,8 +83,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/users/user1/machines +```http +GET https://api.securitycenter.microsoft.com/api/users/user1/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index ac266cf40f..a8bf3252ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -1,9 +1,9 @@ --- title: List vulnerabilities by software -description: Retrieve a list of vulnerabilities in the installed software. +description: Retrieve a list of vulnerabilities in the installed software. keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities by software [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + [!include[Prerelease information](../../includes/prerelease.md)] @@ -52,7 +59,7 @@ GET /api/Software/{Id}/vulnerabilities Empty ## Response -If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software. +If successful, this method returns 200 OK with a list of vulnerabilities exposed by the specified software. ## Example @@ -61,8 +68,8 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities +```http +GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ``` **Response** @@ -70,9 +77,8 @@ GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnera Here is an example of the response. ```json - { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ { "id": "CVE-2017-0140", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index 3e66207db5..5b09a4bb67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -1,9 +1,9 @@ --- -title: Get vulnerability by Id +title: Get vulnerability by ID description: Retrieves vulnerability information by its ID. keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get vulnerability by ID @@ -22,6 +23,14 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] [!include[Prerelease information](../../includes/prerelease.md)] @@ -60,8 +69,8 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` -GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608 +```http +GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` **Response** @@ -70,7 +79,7 @@ Here is an example of the response. ```json { - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity", + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities/$entity", "id": "CVE-2019-0608", "name": "CVE-2019-0608", "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.", diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index af348b95bc..555ab3ee79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender ATP for US Government GCC High customers -description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers -keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp +title: Microsoft Defender for Endpoint for US Government customers +description: Learn about the Microsoft Defender for Endpoint for US Government customers requirements and capabilities available +keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp, endpoint, dod search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,99 +13,149 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender for Endpoint for US Government GCC High customers - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - +# Microsoft Defender for Endpoint for US Government customers **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Microsoft Defender for Endpoint for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering. +> [!NOTE] +> If you are a GCC customer using Defender for Endpoint in Commercial, please refer to the public documentation pages. + +## Licensing requirements +Microsoft Defender for Endpoint for US Government customers requires one of the following Microsoft volume licensing offers: + +### Desktop licensing +GCC | GCC High | DoD +:---|:---|:--- +Windows 10 Enterprise E5 GCC | Windows 10 Enterprise E5 for GCC High | Windows 10 Enterprise E5 for DOD +| | Microsoft 365 E5 for GCC High | +| | Microsoft 365 G5 Security for GCC High | +Microsoft Defender for Endpoint - GCC | Microsoft Defender for Endpoint for GCC High | Microsoft Defender for Endpoint for DOD + +### Server licensing +GCC | GCC High | DoD +:---|:---|:--- +Microsoft Defender for Endpoint Server GCC | Microsoft Defender for Endpoint Server for GCC High | Microsoft Defender for Endpoint Server for DOD +Azure Defender for Servers | Azure Defender for Servers - Government | Azure Defender for Servers - Government + +> [!NOTE] +> DoD licensing will only be available at DoD general availability. + +
        + +## Portal URLs +The following are the Microsoft Defender for Endpoint portal URLs for US Government customers: + +Customer type | Portal URL +:---|:--- +GCC | https://gcc.securitycenter.microsoft.us +GCC High | https://securitycenter.microsoft.us +DoD (PREVIEW) | https://securitycenter.microsoft.us + +
        ## Endpoint versions + +### Standalone OS versions The following OS versions are supported: -- Windows 10, version 1903 -- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/help/4490481)) -- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183)) -- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) -- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481)) +OS version | GCC | GCC High | DoD (PREVIEW) +:---|:---|:---|:--- +Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 10, version 1709 | ![No](../images/svg/check-no.svg)
        Note: Won't be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)
        Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | ![No](../images/svg/check-no.svg)
        Note: Won't be supported +Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)
        Note: Won't be supported | ![No](../images/svg/check-no.svg)
        Note: Won't be supported | ![No](../images/svg/check-no.svg)
        Note: Won't be supported +Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows Server 2016 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows Server 2012 R2 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows Server 2008 R2 SP1 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 8.1 Enterprise | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 8 Pro | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 7 SP1 Enterprise | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows 7 SP1 Pro | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +macOS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog ->[!NOTE] -A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. +> [!NOTE] +> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. -The following OS versions are supported via Azure Security Center: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 +> [!NOTE] +> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. -The following OS versions are not supported: -- Windows Server 2008 R2 SP1 (standalone, not via ASC) -- Windows Server 2012 R2 (standalone, not via ASC) -- Windows Server 2016 (standalone, not via ASC) -- Windows Server, version 1803 -- Windows 7 SP1 Enterprise -- Windows 7 SP1 Pro -- Windows 8 Pro -- Windows 8.1 Enterprise -- macOS -- Linux +### OS versions when using Azure Defender for Servers +The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): -The initial release of Defender for Endpoint will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020: +OS version | GCC | GCC High | DoD (PREVIEW) +:---|:---|:---|:--- +Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) -## Threat Analytics -Not currently available. - -## Threat & Vulnerability Management -Not currently available. - - -## Automated investigation and remediation -The following capabilities are not currently available: -- Response to Office 365 alerts -- Live response - - - -## Management and APIs -The following capabilities are not currently available: - -- Threat protection report -- Device health and compliance report -- Integration with third-party products - - -## Email notifications -Not currently available. - - -## Integrations -Integrations with the following Microsoft products are not currently available: -- Azure Advanced Threat Protection -- Azure Information Protection -- Defender for Office 365 -- Microsoft Cloud App Security -- Skype for Business -- Microsoft Intune (sharing of device information and enhanced policy enforcement) - -## Microsoft Threat Experts -Not currently available. +
        ## Required connectivity settings You'll need to ensure that traffic from the following are allowed: Service location | DNS record :---|:--- -Common URLs for all locations (Global location) | ```crl.microsoft.com```
        ```ctldl.windowsupdate.com```
        ```notify.windows.com```
        ```settings-win.data.microsoft.com```

        NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier. -Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com```
        ```winatp-gw-usgt.microsoft.com```
        ```winatp-gw-usgv.microsoft.com```
        ```*.blob.core.usgovcloudapi.net``` +Common URLs for all locations (Global location) | `crl.microsoft.com`
        `ctldl.windowsupdate.com`
        `notify.windows.com`
        `settings-win.data.microsoft.com`

        Note: `settings-win.data.microsoft.com` is only needed on Windows 10 devices running version 1803 or earlier. +Common URLs for all US Gov customers | `us4-v20.events.data.microsoft.com`
        `*.blob.core.usgovcloudapi.net` +Defender for Endpoint GCC specific | `winatp-gw-usmt.microsoft.com`
        `winatp-gw-usmv.microsoft.com` +Defender for Endpoint GCC High & DoD (PREVIEW) specific | `winatp-gw-usgt.microsoft.com`
        `winatp-gw-usgv.microsoft.com` +
        +## API +Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: +Endpoint type | GCC | GCC High & DoD (PREVIEW) +:---|:---|:--- +Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us` +Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us` +SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https://wdatp-alertexporter-us.securitycenter.windows.us` + +
        + +## Feature parity with commercial +Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight. + +These are the known gaps as of February 2021: + +Feature name | GCC | GCC High | DoD (PREVIEW) +:---|:---|:---|:--- +Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Email notifications | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) Rolling out +Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Management and APIs: Integration with third-party products | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Management and APIs: Streaming API | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Integrations: Azure Sentinel | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development +Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) +Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md index f62c3b418f..5a2af69aab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md @@ -1,10 +1,10 @@ --- title: Grant access to managed security service provider (MSSP) -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP +description: Take the necessary steps to configure MSSP integration with the Microsoft Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Grant managed security service provider (MSSP) access (preview) [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) @@ -100,7 +101,8 @@ To implement a multi-tenant delegated access solution, take the following steps: - Can only be requested by users in the MSSP SOC Tenant - Access auto expires after 365 days - ![Image of new access package](images/new-access-package.png) + > [!div class="mx-imgBorder"] + > ![Image of new access package](images/new-access-package.png) For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create). @@ -109,8 +111,8 @@ To implement a multi-tenant delegated access solution, take the following steps: The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**. - - ![Image of access properties](images/access-properties.png) + > [!div class="mx-imgBorder"] + > ![Image of access properties](images/access-properties.png) The link is located on the overview page of each access package. diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index adc3dd0a3b..e2f8bfd7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -4,7 +4,7 @@ description: Access helpful resources such as links to blogs and other resources keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Helpful Microsoft Defender for Endpoint resources @@ -24,35 +25,40 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint. ## Endpoint protection platform -- [Top scoring in industry +- [Top scoring in industry tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) -- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) +- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) -- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) +- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) -- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) +- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) ## Endpoint Detection Response -- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) +- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) ## Threat Vulnerability Management -- [Defender for Endpoint Threat & Vulnerability Management now publicly +- [Defender for Endpoint Threat & Vulnerability Management now publicly available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977) ## Operational -- [The Golden Hour remake - Defining metrics for a successful security +- [The Golden Hour remake - Defining metrics for a successful security operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014) -- [Defender for Endpoint Evaluation lab is now available in public preview +- [Defender for Endpoint Evaluation lab is now available in public preview ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271) -- [How automation brings value to your security +- [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1autosetupofvpn.png b/windows/security/threat-protection/microsoft-defender-atp/images/1autosetupofvpn.png new file mode 100644 index 0000000000..00a76300e9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1autosetupofvpn.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2autosetupofvpn.png b/windows/security/threat-protection/microsoft-defender-atp/images/2autosetupofvpn.png new file mode 100644 index 0000000000..81cb6070a3 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2autosetupofvpn.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png b/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png index ef1fa51714..b2fb467381 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png and b/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3autosetupofvpn.png b/windows/security/threat-protection/microsoft-defender-atp/images/3autosetupofvpn.png new file mode 100644 index 0000000000..4f77493945 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3autosetupofvpn.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4autosetupofvpn.png b/windows/security/threat-protection/microsoft-defender-atp/images/4autosetupofvpn.png new file mode 100644 index 0000000000..50c3481185 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4autosetupofvpn.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5autosetupofvpn.png b/windows/security/threat-protection/microsoft-defender-atp/images/5autosetupofvpn.png new file mode 100644 index 0000000000..da7f137329 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5autosetupofvpn.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-nav-new.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-nav-new.png new file mode 100644 index 0000000000..062141488a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-nav-new.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-nav-old.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-nav-old.png new file mode 100644 index 0000000000..f6f42ec7ea Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-nav-old.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png new file mode 100644 index 0000000000..6591814422 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asrrecommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/asrrecommendation.png new file mode 100644 index 0000000000..1ce1089fbf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asrrecommendation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png new file mode 100644 index 0000000000..fd74c7c487 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png new file mode 100644 index 0000000000..9bdf843bfc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png new file mode 100644 index 0000000000..5505691561 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/autoir-action-center-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/autoir-action-center-1.png new file mode 100644 index 0000000000..bc928cd157 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/autoir-action-center-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/autoir-quarantine-file-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/autoir-quarantine-file-1.png new file mode 100644 index 0000000000..64feecb7e5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/autoir-quarantine-file-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cloud-native-architecture.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloud-native-architecture.png new file mode 100644 index 0000000000..c19f2aef54 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cloud-native-architecture.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/co-management-architecture.png b/windows/security/threat-protection/microsoft-defender-atp/images/co-management-architecture.png new file mode 100644 index 0000000000..4ce41c73a7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/co-management-architecture.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-guide-phases.png b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-guide-phases.png new file mode 100644 index 0000000000..60c5d6fbdb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-guide-phases.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-guide-plan.png b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-guide-plan.png new file mode 100644 index 0000000000..5c7d8075ca Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-guide-plan.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-timeline-filters.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-timeline-filters.png new file mode 100644 index 0000000000..7bfc67772e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-timeline-filters.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-timeline-with-techniques.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-timeline-with-techniques.png new file mode 100644 index 0000000000..bd0dbe0326 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-timeline-with-techniques.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png new file mode 100644 index 0000000000..e30347f04c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png new file mode 100644 index 0000000000..c2092639af Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png new file mode 100644 index 0000000000..85a91de789 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/filter-customize-columns.png b/windows/security/threat-protection/microsoft-defender-atp/images/filter-customize-columns.png new file mode 100644 index 0000000000..bef972e51a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/filter-customize-columns.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/intune-onboarding.png b/windows/security/threat-protection/microsoft-defender-atp/images/intune-onboarding.png new file mode 100644 index 0000000000..216b928467 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/intune-onboarding.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-1.png new file mode 100644 index 0000000000..e4e04c84d0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-2.png new file mode 100644 index 0000000000..0ec7973041 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-3.png new file mode 100644 index 0000000000..23d3f33a27 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-4.png new file mode 100644 index 0000000000..85e70f5228 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-5.png new file mode 100644 index 0000000000..d250c4f451 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-6.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-6.png new file mode 100644 index 0000000000..082e51ad2c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-7.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-7.png new file mode 100644 index 0000000000..ff5154e6b2 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-7.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png new file mode 100644 index 0000000000..46a71a3ab6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png new file mode 100644 index 0000000000..efd5173cfb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png new file mode 100644 index 0000000000..a09b5f9a3a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-vpn-config.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-vpn-config.png new file mode 100644 index 0000000000..6b809309ba Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-vpn-config.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png index d2f1c35a83..db725b26fa 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mcafee-mde-migration.png b/windows/security/threat-protection/microsoft-defender-atp/images/mcafee-mde-migration.png new file mode 100644 index 0000000000..01fb4c8c22 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mcafee-mde-migration.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mde-action-center-unified.png b/windows/security/threat-protection/microsoft-defender-atp/images/mde-action-center-unified.png new file mode 100644 index 0000000000..92ddecc3b2 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mde-action-center-unified.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-action-center-columnsfilters.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-action-center-columnsfilters.png new file mode 100644 index 0000000000..1baeb6e58a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-action-center-columnsfilters.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nonms-mde-migration.png b/windows/security/threat-protection/microsoft-defender-atp/images/nonms-mde-migration.png new file mode 100644 index 0000000000..b57fb891aa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nonms-mde-migration.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/deployment-phases.png b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/deployment-phases.png new file mode 100644 index 0000000000..4d2a4fa946 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/deployment-phases.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/migration-phases.png b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/migration-phases.png new file mode 100644 index 0000000000..d502450fba Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/migration-phases.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/onboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/onboard.png new file mode 100644 index 0000000000..b6a29de3bf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/onboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/prepare.png b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/prepare.png new file mode 100644 index 0000000000..1001e41e0d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/prepare.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/setup.png new file mode 100644 index 0000000000..1635785046 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/setup.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/symantec-mde-migration.png b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-mde-migration.png new file mode 100644 index 0000000000..5345928db9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-mde-migration.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png new file mode 100644 index 0000000000..c71d67f43f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png index 8106b9e665..957d61d441 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunt-for-related-events.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunt-for-related-events.png new file mode 100644 index 0000000000..6614b91d32 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunt-for-related-events.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-clickable.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-clickable.png new file mode 100644 index 0000000000..1f7e5e4dd4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-clickable.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-command.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-command.png new file mode 100644 index 0000000000..557004bab5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-command.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png new file mode 100644 index 0000000000..f62d8f66b6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png new file mode 100644 index 0000000000..c4ae7c8318 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-completed-by.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-completed-by.png new file mode 100644 index 0000000000..d41220688e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-completed-by.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png new file mode 100644 index 0000000000..3227f3eb0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel.png new file mode 100644 index 0000000000..586519d4c9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png deleted file mode 100644 index 27b00fdd87..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png new file mode 100644 index 0000000000..ebb2c93951 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png new file mode 100644 index 0000000000..770141ad54 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png new file mode 100644 index 0000000000..8532d279bc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png new file mode 100644 index 0000000000..aa59d18577 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png new file mode 100644 index 0000000000..92dd636c71 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png new file mode 100644 index 0000000000..64f731a465 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png new file mode 100644 index 0000000000..64cfbd439f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png new file mode 100644 index 0000000000..4cc8e84eeb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png deleted file mode 100644 index 15d64d5abd..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png new file mode 100644 index 0000000000..be0593bb84 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png new file mode 100644 index 0000000000..748b97d6bb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png new file mode 100644 index 0000000000..9147d3e4a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png new file mode 100644 index 0000000000..29c6618677 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png new file mode 100644 index 0000000000..539ed966bb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png new file mode 100644 index 0000000000..d4f3f506e5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-recommendation-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-recommendation-flyout.png new file mode 100644 index 0000000000..9ecf6f5300 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-recommendation-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-recommendation-flyout400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-recommendation-flyout400.png new file mode 100644 index 0000000000..d9a93c0678 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-recommendation-flyout400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png deleted file mode 100644 index 04b9835601..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png deleted file mode 100644 index 941dd99ba8..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/update-MDE-linux-4634577.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/update-MDE-linux-4634577.jpg new file mode 100644 index 0000000000..b39cfc8f6d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/update-MDE-linux-4634577.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/white-shark.png b/windows/security/threat-protection/microsoft-defender-atp/images/white-shark.png new file mode 100644 index 0000000000..ac5c199599 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/white-shark.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index f496d2d153..e14a1a1440 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -4,7 +4,7 @@ description: Use Group Policy to deploy mitigations configuration. keywords: Exploit protection, mitigations, import, export, configure, convert, conversion, deploy, install search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Import, export, and deploy exploit protection configurations @@ -21,8 +22,11 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -* [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md new file mode 100644 index 0000000000..65dcff272b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -0,0 +1,142 @@ +--- +title: Import Indicators API +description: Learn how to use the Import batch of Indicator API in Microsoft Defender Advanced Threat Protection. +keywords: apis, supported apis, submit, ti, indicator, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Import Indicators API + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Submits or Updates batch of [Indicator](ti-indicator.md) entities. +
        CIDR notation for IPs is not supported. + +## Limitations +1. Rate limitations for this API are 30 calls per minute. +2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. +3. Maximum batch size for one API call is 500. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write Indicators' +Application | Ti.ReadWrite.All | 'Read and write All Indicators' +Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.microsoft.com/api/indicators/import +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required** + + +## Response +- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below. +- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. + +## Example + +**Request** + +Here is an example of the request. + +```http +POST https://api.securitycenter.microsoft.com/api/indicators/import +``` + +```json +{ + "Indicators": + [ + { + "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "demo", + "application": "demo-test", + "expirationTime": "2021-12-12T00:00:00Z", + "action": "Alert", + "severity": "Informational", + "description": "demo2", + "recommendedActions": "nothing", + "rbacGroupNames": ["group1", "group2"] + }, + { + "indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222", + "indicatorType": "FileSha256", + "title": "demo2", + "application": "demo-test2", + "expirationTime": "2021-12-12T00:00:00Z", + "action": "Alert", + "severity": "Medium", + "description": "demo2", + "recommendedActions": "nothing", + "rbacGroupNames": [] + } + ] +} +``` + +**Response** + +Here is an example of the response. + +```json +{ + "value": [ + { + "id": "2841", + "indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "isFailed": false, + "failureReason": null + }, + { + "id": "2842", + "indicator": "2233223322332233223322332233223322332233223322332233223322332222", + "isFailed": false, + "failureReason": null + } + ] +} +``` + +## Related topic +- [Manage indicators](manage-indicators.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index feab52dd1a..9cb3e7fef1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -1,11 +1,11 @@ --- -title: Create indicators based on certificates +title: Create indicators based on certificates ms.reviewer: description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities. -keywords: ioc, certificate, certificates, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators based on certificates @@ -25,6 +26,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -39,10 +41,10 @@ You can create indicators for certificates. Some common use cases include: It's important to understand the following requirements prior to creating indicators for certificates: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. -- The virus and threat protection definitions must be up-to-date. +- The virus and threat protection definitions must be up to date. - This feature currently supports entering .CER or .PEM file extensions. >[!IMPORTANT] diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md index 3e7b8c855d..ed32a99990 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -1,11 +1,11 @@ --- -title: Create indicators for files +title: Create indicators for files ms.reviewer: description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. -keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators for files @@ -25,6 +26,8 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -38,7 +41,7 @@ There are two ways you can create indicators for files: ### Before you begin It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md index 4cff1f1817..6bd26e04a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -1,11 +1,11 @@ --- -title: Create indicators for IPs and URLs/domains +title: Create indicators for IPs and URLs/domains ms.reviewer: description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. -keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,17 +14,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators for IPs and URLs/domains [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -36,26 +38,30 @@ The threat intelligence data set for this has been managed by Microsoft. By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. +> [!NOTE] +> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. + ### Before you begin It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: - URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later. - Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). +- For support of indicators on iOS, see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators). ->[!IMPORTANT] +> [!IMPORTANT] > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. > For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
        > NOTE: ->- IP is supported for all three protocols ->- Only single IP addresses are supported (no CIDR blocks or IP ranges) ->- Encrypted URLs (full path) can only be blocked on first party browsers ->- Encrypted URLS (FQDN only) can be blocked outside of first party browsers ->- Full URL path blocks can be applied on the domain level and all unencrypted URLs +> - IP is supported for all three protocols +> - Only single IP addresses are supported (no CIDR blocks or IP ranges) +> - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge) +> - Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) +> - Full URL path blocks can be applied on the domain level and all unencrypted URLs ->[!NOTE] ->There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. +> [!NOTE] +> There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. ### Create an indicator for IPs, URLs, or domains from the settings page diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md index a446f06755..946eeb3008 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md @@ -2,10 +2,10 @@ title: Manage indicators ms.reviewer: description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. -keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage indicators @@ -25,6 +26,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -65,8 +67,13 @@ expirationTime | DateTimeOffset | The expiration time of the indicator in the fo severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional** rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** +category | String | Category of the alert. Examples include: Execution and credential access. **Optional** +mitretechniques| String | MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique. -## Related topics +For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). + + +## See also - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 74f53cc04c..baef9c8ecb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -1,10 +1,10 @@ --- title: Information protection in Windows overview -ms.reviewer: +ms.reviewer: description: Learn about how information protection works in Windows to identify and protect sensitive information keywords: information, protection, dlp, data, loss, prevention, protect search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,16 +15,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Information protection in Windows overview [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + [!include[Prerelease information](../../includes/prerelease.md)] @@ -82,7 +86,7 @@ Data discovery based on Defender for Endpoint is also available in [Azure Log An For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). -Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). +Open Azure Log Analytics in Azure portal and open a query builder (standard or classic). To view Defender for Endpoint data, perform a query that contains: diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md index 30a7574c30..e3d8274f25 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md @@ -3,7 +3,7 @@ title: Use sensitivity labels to prioritize incident response description: Learn how to use sensitivity labels to prioritize and investigate incidents keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,21 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use sensitivity labels to prioritize incident response [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected. diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index 683be6e6bf..f36d4f2fd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -3,7 +3,7 @@ title: Start Investigation API description: Use this API to start investigation on a device. keywords: apis, graph api, supported apis, investigation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- - # Start Investigation API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -79,11 +85,12 @@ If successful, this method returns 201 - Created response code and [Investigatio Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` +```https POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation -Content-type: application/json +``` + +```json { - "Comment": "Test investigation", + "Comment": "Test investigation" } +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index e9ad5814eb..e1191dde6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -4,7 +4,7 @@ description: Use the investigation options to get details on alerts are affectin keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,91 +14,59 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- -# Investigate Microsoft Defender Advanced Threat Protection alerts +# Investigate alerts in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. -Click an alert to see the alert details view and the various tiles that provide information about the alert. +Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story. -From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them. +From the alert page, begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts). -The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/). +## Investigate using the alert story -You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md). +The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities. -![Image of the alert page](images/atp-alert-view.png) +Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first. -The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. +Expand entities to view details at a glance. Selecting an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Selecting *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus. -For more information about managing alerts, see [Manage alerts](manage-alerts.md). +> [!NOTE] +> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected. -The alert details page also shows the alert process tree, an incident graph, and an artifact timeline. +![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png) -You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**. +## Take action from the details pane -Alerts attributed to an adversary or actor display a colored tile with the actor's name. +Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when it's available, and offer controls to **take action** on this entity directly from the alert page. -![A detailed view of an alert when clicked](images/atp-actor-alert.png) +Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts. -Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take. +If you classify it as a true alert, you can also select a determination, as shown in the image below. -Some actor profiles include a link to download a more comprehensive threat intelligence report. +![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png) -![Image of detailed actor profile](images/atp-detailed-actor.png) +If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future. -The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. +![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png) -## Alert process tree -The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. +> [!TIP] +> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket. -![Image of the alert process tree](images/atp-alert-process-tree.png) - -The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. - ->[!NOTE] ->The alert process tree might not show for some alerts, including alerts not triggered directly by process activity. - -Clicking in the circle immediately to the left of the indicator displays its details. - -![Image of the alert details pane](images/atp-alert-mgt-pane.png) - -The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation. - - -## Incident graph -The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed. - -![Image of the Incident graph](images/atp-incident-graph.png) - -The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate. - -The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page. - -You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed. - -## Artifact timeline -The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert. - -![Image of artifact timeline](images/atp-alert-timeline.png) - -Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics - [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 42e6837413..40b569b13d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -4,7 +4,7 @@ description: Learn how to use advanced HTTP level monitoring through network pro keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,21 +14,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigate connection events that occur behind forward proxies [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) Defender for Endpoint supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet. diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index bee61aaabc..72a0bfbd88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -4,7 +4,7 @@ description: Use the investigation options to see if devices and servers have be keywords: investigate domain, domain, malicious domain, microsoft defender atp, alert, URL search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate a domain associated with a Microsoft Defender for Endpoint alert @@ -25,11 +26,8 @@ ms.date: 04/24/2018 **Applies to:** - - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index 599bf6a2fd..de2db9a059 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -1,10 +1,10 @@ --- title: Investigate Microsoft Defender Advanced Threat Protection files -description: Use the investigation options to get details on files associated with alerts, behaviours, or events. +description: Use the investigation options to get details on files associated with alerts, behaviors, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,22 +14,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- -# Investigate a file associated with a Microsoft Defender ATP alert +# Investigate a file associated with a Microsoft Defender for Endpoint alert [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -[!include[Prerelease information](../../includes/prerelease.md)] >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 003cb02227..04c380c532 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -1,10 +1,10 @@ --- title: Investigate incidents in Microsoft Defender ATP -description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident +description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,18 +14,19 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigate incidents in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. @@ -41,7 +42,7 @@ When you investigate an incident, you'll see: ## Analyze incident details Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph). -![Image of incident details](images/atp-incident-details.png) +![Image of incident details1](images/atp-incident-details.png) ### Alerts You can investigate the alerts and see how they were linked together in an incident. @@ -84,7 +85,7 @@ The **Graph** tells the story of the cybersecurity attack. For example, it shows You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it’s been observed in your organization, if so, how many instances. -![Image of incident details](images/atp-incident-graph-details.png) +![Image of incident details2](images/atp-incident-graph-details.png) ## Related topics - [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index 3647ff20ed..408450f834 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -4,7 +4,7 @@ description: Use the investigation options to examine possible communication bet keywords: investigate, investigation, IP address, alert, microsoft defender atp, external IP search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate an IP address associated with a Microsoft Defender for Endpoint alert @@ -26,8 +27,9 @@ ms.date: 04/24/2018 **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index aa657d9821..dbe3c86cce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -4,7 +4,7 @@ description: Investigate affected devices by reviewing alerts, network connectio keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigate devices in the Microsoft Defender for Endpoint Devices list @@ -25,8 +26,8 @@ ms.topic: article **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) @@ -132,8 +133,6 @@ More details about certain events are provided in the **Additional information** - Suspicious script detected - a potentially malicious script was found running - The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided -You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device. - #### Event details Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown. @@ -143,7 +142,7 @@ To further inspect the event and related events, you can quickly run an [advance ### Security recommendations -**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details. +**Security recommendations** are generated from Microsoft Defender for Endpoint's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details. ![Image of security recommendations tab](images/security-recommendations-device.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index 292ee98eec..d1db196189 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -4,7 +4,7 @@ description: Investigate a user account for potential compromised credentials or keywords: investigate, account, user, user entity, alert, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,20 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate a user account in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 9a079ca9cb..5db24608de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -3,7 +3,7 @@ title: Investigation resource type description: Microsoft Defender ATP Investigation entity. keywords: apis, graph api, supported apis, get, alerts, investigations search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,25 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigation resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Represent an Automated Investigation entity in Defender for Endpoint.
        See [Overview of automated investigations](automated-investigations.md) for more information. @@ -34,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint. Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation -[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity. [Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. @@ -44,7 +50,7 @@ Property | Type | Description id | String | Identity of the investigation entity. startTime | DateTime Nullable | The date and time when the investigation was created. endTime | DateTime Nullable | The date and time when the investigation was completed. -cancelledBy | String | The ID of the user/application that cancelled that investigation. +cancelledBy | String | The ID of the user/application that canceled that investigation. investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. statusDetails | String | Additional information about the state of the investigation. machineId | String | The ID of the device on which the investigation is executed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index e44fe3a67f..0aa8395536 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -1,11 +1,11 @@ --- title: Configure Microsoft Defender ATP for iOS features -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for iOS features keywords: microsoft, defender, atp, ios, configure, features, ios search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,35 +15,87 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure Microsoft Defender for Endpoint for iOS features [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> [!IMPORTANT] -> **PUBLIC PREVIEW EDITION** -> -> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. -> -> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +> [!NOTE] +> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. + +## Conditional Access with Defender for Endpoint for iOS +Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. + +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). + +## Web Protection and VPN + +By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device. + +While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below: + +1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**. +1. Click or tap the "i" button for Microsoft Defender ATP. +1. Toggle off **Connect On Demand** to disable VPN. + + > [!div class="mx-imgBorder"] + > ![VPN config connect on demand](images/ios-vpn-config.png) + +> [!NOTE] +> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. + +## Co-existence of multiple VPN profiles + +Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. -## Configure custom indicators -Defender for Endpoint for iOS enables admins to configure custom indicators on -iOS devices as well. Refer to [Manage -indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -on how to configure custom indicators +## Configure compliance policy against jailbroken devices -## Web Protection -By default, Defender for Endpoint for iOS includes and enables the web -protection feature. [Web -protection](web-protection-overview.md) helps -to secure devices against web threats and protect users from phishing attacks. +To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. ->[!NOTE] ->Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +> [!NOTE] +> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally +Follow the steps below to create a compliance policy against jailbroken devices. + +1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. + + > [!div class="mx-imgBorder"] + > ![Create Policy](images/ios-jb-policy.png) + +2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". +3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. + + > [!div class="mx-imgBorder"] + > ![Policy Settings](images/ios-jb-settings.png) + +4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**. + + > [!div class="mx-imgBorder"] + > ![Policy Actions](images/ios-jb-actions.png) + +5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**. +6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. + +## Configure custom indicators + +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). + +> [!NOTE] +> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. + +## Report unsafe site + +Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md index 2404da2be6..d3614e3095 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md @@ -1,11 +1,11 @@ --- title: App-based deployment for Microsoft Defender ATP for iOS -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for iOS using an app keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,67 +15,130 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# App-based deployment for Microsoft Defender for Endpoint for iOS +# Deploy Microsoft Defender for Endpoint for iOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> [!IMPORTANT] -> **PUBLIC PREVIEW EDITION** -> -> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. -> -> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Defender for Endpoint for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) -Deployment devices need to be enrolled on Intune Company portal. Refer to -[Enroll your -device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to -learn more about Intune device enrollment +This topic describes deploying Defender for Endpoint for iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll). ## Before you begin -- Ensure you have access to [Microsoft Endpoint manager admin - center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -- Ensure iOS enrollment is done for your users. Users need to have Defender for Endpoint - license assigned in order to use Defender for Endpoint for iOS. Refer [Assign licenses to - users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) - for instructions on how to assign licenses. +- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses. +> [!NOTE] +> Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore). ## Deployment steps -To install Defender for Endpoint for iOS, end-users can visit - on their iOS devices. This link will open the -TestFlight application on their device or prompt them to install TestFlight. On -the TestFlight app, follow the onscreen instructions to install Defender for Endpoint. +Deploy Defender for Endpoint for iOS via Intune Company Portal. +### Add iOS store app -![Image of deployment steps](images/testflight-get.png) +1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** -> **iOS/iPadOS** -> **Add** -> **iOS store app** and click **Select**. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center1](images/ios-deploy-1.png) + +1. On the Add app page, click on **Search the App Store** and type **Microsoft Defender ATP** in the search bar. In the search results section, click on *Microsoft Defender ATP* and click **Select**. + +1. Select **iOS 11.0** as the Minimum operating system. Review the rest of information about the app and click **Next**. + +1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint for iOS app. Click **Select** and then **Next**. + + > [!NOTE] + > The selected user group should consist of Intune enrolled users. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center2](images/ios-deploy-2.png) + +1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page. + +1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center3](images/ios-deploy-3.png) ## Complete onboarding and check status -1. Once Defender for Endpoint for iOS has been installed on the device, you +1. Once Defender for Endpoint for iOS has been installed on the device, you will see the app icon. ![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png) -2. Tap the Defender for Endpoint app icon and follow the on-screen - instructions to complete the onboarding steps. The details include end-user - acceptance of iOS permissions required by Defender for Endpoint for iOS. +2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint for iOS. -3. Upon successful onboarding, the device will start showing up on the Devices - list in Microsoft Defender Security Center. +3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center. > [!div class="mx-imgBorder"] > ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png) +## Configure Microsoft Defender for Endpoint for Supervised Mode + +The Microsoft Defender for Endpoint for iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode. + +### Configure Supervised Mode via Intune + +Intune allows you to configure the Defender for iOS app through an App Configuration policy. + + > [!NOTE] + > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice. + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add**. Click on **Managed devices**. + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center4](images/ios-deploy-4.png) + +1. In the *Create app configuration policy* page, provide the following information: + - Policy Name + - Platform: Select iOS/iPadOS + - Targeted app: Select **Microsoft Defender ATP** from the list + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center5](images/ios-deploy-5.png) + +1. In the next screen, select **Use configuration designer** as the format. Specify the following property: + - Configuration Key: issupervised + - Value type: String + - Configuration Value: {{issupervised}} + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center6](images/ios-deploy-6.png) + +1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue. + +1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign). + + When deploying to user groups, a user must sign in to a device before the policy applies. + + Click **Next**. + +1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles. + +1. Next, for enhanced Anti-phishing capabilities, you can deploy a custom profile on the supervised iOS devices. Follow the steps below: + - Download the config profile from [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile) + - Navigate to **Devices** -> **iOS/iPadOS** -> **Configuration profiles** -> **Create Profile** + + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center7](images/ios-deploy-7.png) + + - Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded above. + - In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Click **Next**. + - On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles. + ## Next Steps [Configure Defender for Endpoint for iOS features](ios-configure-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md index 31ee7b41b6..489a76edb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -1,78 +1,97 @@ --- -title: Microsoft Defender ATP for iOS note on Privacy -ms.reviewer: -description: Describes the Microsoft Defender ATP for iOS Privacy -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +title: Privacy information - Microsoft Defender for Endpoint for iOS +ms.reviewer: +description: Describes privacy information for Microsoft Defender for Endpoint for iOS +keywords: microsoft, defender, atp, ios, policy, overview search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: sunasing -author: sunasing +ms.author: macapara +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual -hideEdit: true +ms.technology: mde --- -# Microsoft Defender ATP for iOS - Privacy information +# Privacy information - Microsoft Defender for Endpoint for iOS **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) ->[!NOTE] -> Defender for Endpoint for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. +> [!NOTE] +> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** -Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. +Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. -Information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected and to support the service. +For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md). -## Required data +## Required data -Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: +Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. -### Web page / Network information +Here is a list of the types of data being collected: -- Connection information -- Protocol type (such as HTTP, HTTPS, etc.) +### Web page or Network information -### Device and account information +- Domain name of the website only when a malicious connection or web page is detected. -- Device information such as date & time, iOS version, CPU info, and Device identifier -- Device identifier is one of the below: - - Wi-Fi adapter MAC address - - Randomly generated globally unique identifier (GUID) +### Device and account information -- Tenant, Device, and User information - - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory. - - Azure tenant ID - GUID that identifies your organization within Azure Active Directory - - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted - - User Principal Name - Email ID of the user +- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: -### Product and service usage data + - Wi-Fi adapter MAC address -- App package info, including name, version, and app upgrade status -- Actions performed in the app -- Crash report logs generated by iOS -- Memory usage data + - Randomly generated globally unique identifier (GUID) -## Optional data +- Tenant, Device, and User information -Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. -Optional diagnostic data includes: + - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. -- App, CPU, and network usage -- Features configured by the admin + - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted. -**Feedback Data** is collected through in-app feedback provided by the user. + - User Principal Name - Email ID of the user. + +### Product and service usage data + +The following information is collected only for Microsoft Defender for Endpoint app installed on the device. + +- App package info, including name, version, and app upgrade status. + +- Actions done in the app. + +- Crash report logs generated by iOS. + +- Memory usage data. + +## Optional Data + +Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + +Optional diagnostic data includes: + +- App, CPU, and network usage for Defender for Endpoint. + +- Features configured by the admin for Defender for Endpoint. + +Feedback Data is collected through in-app feedback provided by the user. + +- The user's email address, if they choose to provide it. + +- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. + +For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement). -- The user's email address, if they choose to provide it -- Feedback type (smile, frown, idea) and any feedback comments submitted by the user -[More on Privacy](https://aka.ms/mdatpiosprivacystatement) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md index 997e5ed226..ddb445f85a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for iOS Application license terms -ms.reviewer: +ms.reviewer: description: Describes the Microsoft Defender ATP for iOS license terms -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,10 +15,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual hideEdit: true +ms.technology: mde --- # Microsoft Defender for Endpoint for iOS application license terms @@ -29,7 +30,7 @@ hideEdit: true ## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT These license terms ("Terms") are an agreement between Microsoft Corporation (or -based on where you live, one of its affiliates) and you. Please read them. They +based on where you live, one of its affiliates) and you. They apply to the application named above. These Terms also apply to any Microsoft - updates, @@ -51,21 +52,21 @@ DO NOT USE THE APPLICATION.** 1. **INSTALLATION AND USE RIGHTS.** 1. **Installation and Use.** You may install and use any number of copies - of this application on iOS enabled device or devices which you own + of this application on iOS enabled device or devices that you own or control. You may use this application with your company's valid subscription of Defender for Endpoint or - an online service that includes MDATP functionalities. + an online service that includes Microsoft Defender for Endpoint functionalities. - 2. **Updates.** Updates or upgrades to MDATP may be required for full + 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries. - 3. **Third Party Programs.** The application may include third party + 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only. 2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to - Internet access, data transfer and other services per the terms of the data + Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges. @@ -78,8 +79,7 @@ DO NOT USE THE APPLICATION.** operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for - Internet-based or wireless services. If other terms are provided in - connection with your use of the services, those terms also apply. + Internet-based or wireless services. If other terms are provided with your use of the services, those terms also apply. - Data. Some online services require, or may be enhanced by, the installation of local software like this one. At your, or your @@ -91,21 +91,20 @@ DO NOT USE THE APPLICATION.** improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of - certain features of the application. For additional information on - Microsoft's data collection and use, see the [Online Services + certain features of the application. For more information on Microsoft's data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777). 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain - unauthorized access to any service, data, account or network by any + unauthorized access to any service, data, account, or network by any means. 4. **FEEDBACK.** If you give feedback about the application to Microsoft, you - give to Microsoft, without charge, the right to use, share and commercialize + give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, - technologies and services to use or interface with any specific parts of a + technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback @@ -129,16 +128,14 @@ DO NOT USE THE APPLICATION.** - publish the application for others to copy; - - rent, lease or lend the application; or + - rent, lease, or lend the application; or - transfer the application or this agreement to any third party. 6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws - include restrictions on destinations, end users and end use. For additional - information, - see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). + include restrictions on destinations, end users and end use. For more information, see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). 7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about @@ -150,14 +147,13 @@ DO NOT USE THE APPLICATION.** 8. **APPLICATION STORE.** - 1. If you obtain the application through an application store (e.g., App - Store), please review the applicable application store terms to ensure + 1. If you obtain the application through an application store (for example, App + Store), review the applicable application store terms to ensure your download and use of the application complies with such terms. - Please note that these Terms are between you and Microsoft and not with + These terms are between you and Microsoft and not with the application store. - 2. The respective application store provider and its subsidiaries are third - party beneficiaries of these Terms, and upon your acceptance of these + 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights. @@ -212,20 +208,20 @@ DO NOT USE THE APPLICATION.** This limitation applies to: - anything related to the application, services, content (including code) on - third party Internet sites, or third party programs; and + third-party Internet sites, or third-party programs; and -- claims for breach of contract, warranty, guarantee or condition; consumer +- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, - misrepresentation, omission, trespass or other tort; violation of statute or + misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law. It also applies even if: -a. Repair, replacement or refund for the application does not fully compensate +a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or b. Covered Parties knew or should have known about the possibility of the damages. -The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 98cfaa0d40..a8a4b7a434 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -3,7 +3,7 @@ title: Isolate machine API description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, isolate device search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Isolate machine API @@ -21,9 +22,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -52,7 +60,7 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/isolate +POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate ``` ## Request headers @@ -85,15 +93,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate +``` -```console -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate -Content-type: application/json +```json { "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” + "IsolationType": "Full" } ``` -- To unisolate a device, see [Release device from isolation](unisolate-machine.md). +- To release a device from isolation, see [Release device from isolation](unisolate-machine.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index e1e14ad345..a2fcd856c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -4,7 +4,7 @@ description: Provide and validate exclusions for Microsoft Defender ATP for Linu keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender for Endpoint for Linux @@ -25,8 +26,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 2a491e271a..e017a9cca2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Linux manually -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Linux manually @@ -26,19 +27,30 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks: -- [Configure the Linux software repository](#configure-the-linux-software-repository) -- [Application installation](#application-installation) -- [Download the onboarding package](#download-the-onboarding-package) -- [Client configuration](#client-configuration) +- [Deploy Microsoft Defender for Endpoint for Linux manually](#deploy-microsoft-defender-for-endpoint-for-linux-manually) + - [Prerequisites and system requirements](#prerequisites-and-system-requirements) + - [Configure the Linux software repository](#configure-the-linux-software-repository) + - [RHEL and variants (CentOS and Oracle Linux)](#rhel-and-variants-centos-and-oracle-linux) + - [SLES and variants](#sles-and-variants) + - [Ubuntu and Debian systems](#ubuntu-and-debian-systems) + - [Application installation](#application-installation) + - [Download the onboarding package](#download-the-onboarding-package) + - [Client configuration](#client-configuration) + - [Installer script](#installer-script) + - [Log installation issues](#log-installation-issues) + - [Operating system upgrades](#operating-system-upgrades) + - [Uninstallation](#uninstallation) ## Prerequisites and system requirements -Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. ## Configure the Linux software repository @@ -59,7 +71,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install yum-utils ``` -- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. +- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/`. For instance, RHEL 7.9 is closer to 7.4 than to 8. In the below commands, replace *[distro]* and *[version]* with the information you've identified: @@ -70,7 +82,13 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel: + For example, if you are running CentOS 7 and wish to deploy MDE for Linux from the *prod* channel: + + ```bash + sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo + ``` + + Or if you wish to explore new features on selected devices, you might want to deploy MDE for Linux to *insiders-fast* channel: ```bash sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo @@ -90,7 +108,7 @@ In order to preview new features and provide early feedback, it is recommended t ### SLES and variants -- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. +- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/`. In the following commands, replace *[distro]* and *[version]* with the information you've identified: @@ -98,10 +116,10 @@ In order to preview new features and provide early feedback, it is recommended t sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel: + For example, if you are running SLES 12 and wish to deploy MDE for Linux from the *prod* channel: ```bash - sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo + sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo ``` - Install the Microsoft GPG public key: @@ -124,7 +142,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo apt-get install libplist-utils ``` -- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`. +- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config`. In the below command, replace *[distro]* and *[version]* with the information you've identified: @@ -132,10 +150,10 @@ In order to preview new features and provide early feedback, it is recommended t curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list ``` - For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel: + For example, if you are running Ubuntu 18.04 and wish to deploy MDE for Linux from the *prod* channel: ```bash - curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list + curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list ``` - Install the repository configuration: @@ -143,6 +161,11 @@ In order to preview new features and provide early feedback, it is recommended t ```bash sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list ``` + For example, if you chose *prod* channel: + + ```bash + sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list + ``` - Install the `gpg` package if not already installed: @@ -323,6 +346,31 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp threat list ``` +## Installer script + +Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public GitHub repository](https://github.com/microsoft/mdatp-xplat/). +The script identifies the distribution and version, and sets up the device to pull the latest package and install it. +You can also onboard with a provided script. + +```bash +❯ ./mde_installer.sh --help +usage: basename ./mde_installer.sh [OPTIONS] +Options: +-c|--channel specify the channel from which you want to install. Default: insiders-fast +-i|--install install the product +-r|--remove remove the product +-u|--upgrade upgrade the existing product +-o|--onboard onboard/offboard the product with +-p|--passive-mode set EPP to passive mode +-t|--tag set a tag by declaring and . ex: -t GROUP Coders +-m|--min_req enforce minimum requirements +-w|--clean remove repo from package manager for a specific channel +-v|--version print out script version +-h|--help display help +``` + +Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/installation). + ## Log installation issues See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 35fe0795ab..111a241a5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Linux with Ansible -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Linux with Ansible @@ -26,8 +27,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This article describes how to deploy Defender for Endpoint for Linux using Ansible. A successful deployment requires the completion of all of the following tasks: @@ -140,28 +143,34 @@ Create a subtask or role files that contribute to an playbook or task. ```bash - name: Add Microsoft APT key - apt_key: - keyserver: https://packages.microsoft.com/ - id: BC528686B50D79E339D3721CEB3E94ADBE1229CF - when: ansible_os_family == "Debian" + apt_key: + keyserver: https://packages.microsoft.com/ + id: BC528686B50D79E339D3721CEB3E94ADBE1229CF + when: ansible_os_family == "Debian" - name: Add Microsoft apt repository for MDATP - apt_repository: - repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main - update_cache: yes - state: present - filename: microsoft-[channel].list - when: ansible_os_family == "Debian" + apt_repository: + repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main + update_cache: yes + state: present + filename: microsoft-[channel].list + when: ansible_os_family == "Debian" + + - name: Add Microsoft DNF/YUM key + rpm_key: + state: present + key: https://packages.microsoft.com/keys/microsoft.asc + when: ansible_os_family == "RedHat" - name: Add Microsoft yum repository for MDATP - yum_repository: - name: packages-microsoft-com-prod-[channel] - description: Microsoft Defender for Endpoint - file: microsoft-[channel] - baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/ - gpgcheck: yes - enabled: Yes - when: ansible_os_family == "RedHat" + yum_repository: + name: packages-microsoft-com-prod-[channel] + description: Microsoft Defender for Endpoint + file: microsoft-[channel] + baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/ + gpgcheck: yes + enabled: Yes + when: ansible_os_family == "RedHat" ``` - Create the Ansible install and uninstall YAML files. @@ -173,13 +182,13 @@ Create a subtask or role files that contribute to an playbook or task. ``` ```Output - hosts: servers - tasks: - - include: ../roles/onboarding_setup.yml - - include: ../roles/add_apt_repo.yml - - apt: - name: mdatp - state: latest - update_cache: yes + tasks: + - include: ../roles/onboarding_setup.yml + - include: ../roles/add_apt_repo.yml + - apt: + name: mdatp + state: latest + update_cache: yes ``` ```bash @@ -200,13 +209,13 @@ Create a subtask or role files that contribute to an playbook or task. ``` ```Output - hosts: servers - tasks: + tasks: - include: ../roles/onboarding_setup.yml - include: ../roles/add_yum_repo.yml - yum: - name: mdatp - state: latest - enablerepo: packages-microsoft-com-prod-[channel] + name: mdatp + state: latest + enablerepo: packages-microsoft-com-prod-[channel] ``` ```bash @@ -216,7 +225,7 @@ Create a subtask or role files that contribute to an playbook or task. - hosts: servers tasks: - yum: - name: mdatp + name: mdatp state: absent ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 46100ac983..f3363b34dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Linux with Puppet @@ -26,8 +27,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This article describes how to deploy Defender for Endpoint for Linux using Puppet. A successful deployment requires the completion of all of the following tasks: @@ -157,7 +160,7 @@ $version = undef } file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - source => 'puppet:///modules/mdatp/mdatp_onboard.json', + source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', owner => root, group => root, mode => '0600', diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 2ec4ae0d08..7da256d6f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -5,7 +5,7 @@ description: Describes how to configure Microsoft Defender ATP for Linux in ente keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Set preferences for Microsoft Defender for Endpoint for Linux @@ -26,8 +27,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) >[!IMPORTANT] >This topic contains instructions for how to set preferences for Defender for Endpoint for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line). @@ -200,7 +203,7 @@ Type of threat for which the behavior is configured. Action to take when coming across a threat of the type specified in the preceding section. Can be: - **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged. -- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console. +- **Block**: The device is protected against this type of threat and you are notified in the security console. - **Off**: The device is not protected against this type of threat and nothing is logged. ||| diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md index 60205953d5..e8f59927aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -4,7 +4,7 @@ description: Privacy controls, how to configure policy settings that impact priv keywords: microsoft, defender, atp, linux, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,16 +15,18 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Privacy for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Defender for Endpoint for Linux. @@ -98,7 +100,7 @@ The following fields are considered common for all events: **Required diagnostic data** is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device it’s installed on. -Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. +Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. #### Software setup and inventory data events diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md index ff2da099a2..cd239ed756 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -4,7 +4,7 @@ description: Detect and block Potentially Unwanted Applications (PUA) using Micr keywords: microsoft, defender, atp, linux, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Linux @@ -25,8 +26,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) The potentially unwanted application (PUA) protection feature in Defender for Endpoint for Linux can detect and block PUA files on endpoints in your network. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 3b12f36855..0fcf1d929e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -5,7 +5,7 @@ description: Describes resources for Microsoft Defender ATP for Linux, including keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Resources @@ -26,8 +27,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) ## Collect diagnostic information @@ -36,20 +39,23 @@ If you can reproduce a problem, first increase the logging level, run the system 1. Increase logging level: ```bash - mdatp log level set --level verbose + mdatp log level set --level debug ``` + ```Output Log level configured successfully ``` 2. Reproduce the problem. -3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. +3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. ```bash sudo mdatp diagnostic create ``` + This command will also print out the file path to the backup after the operation succeeds: + ```Output Diagnostic file created: ``` @@ -59,6 +65,7 @@ If you can reproduce a problem, first increase the logging level, run the system ```bash mdatp log level set --level info ``` + ```Output Log level configured successfully ``` @@ -75,9 +82,9 @@ There are several ways to uninstall Defender for Endpoint for Linux. If you are ### Manual uninstallation -- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle Linux). -- ```sudo zypper remove mdatp``` for SLES and variants. -- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems. +- `sudo yum remove mdatp` for RHEL and variants(CentOS and Oracle Linux). +- `sudo zypper remove mdatp` for SLES and variants. +- `sudo apt-get purge mdatp` for Ubuntu and Debian systems. ## Configure from the command line @@ -93,15 +100,15 @@ The following table lists commands for some of the most common scenarios. Run `m |Group |Scenario |Command | |----------------------|--------------------------------------------------------|-----------------------------------------------------------------------| -|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled|disabled]` | -|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` | -|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` | -|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` | -|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` | -|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name [extension]` | -|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path [path-to-file]` | -|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` | -|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]`
        `mdatp exclusion process [add|remove] --name [process-name]` | +|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled\|disabled]` | +|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled\|disabled]` | +|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled\|disabled]` | +|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled\|disabled]` | +|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode --value [enabled\|disabled]` | +|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add\|remove] --name [extension]` | +|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add\|remove] --path [path-to-file]` | +|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add\|remove] --path [path-to-directory]` | +|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add\|remove] --path [path-to-process]`
        `mdatp exclusion process [add\|remove] --name [process-name]` | |Configuration |List all antivirus exclusions |`mdatp exclusion list` | |Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` | |Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` | @@ -110,9 +117,9 @@ The following table lists commands for some of the most common scenarios. Run `m |Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` | |Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` | |Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` | +|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` | |Health |Check the product's health |`mdatp health` | -|Protection |Scan a path |`mdatp scan custom --path [path]` | +|Protection |Scan a path |`mdatp scan custom --path [path] [--ignore-exclusions]` | |Protection |Do a quick scan |`mdatp scan quick` | |Protection |Do a full scan |`mdatp scan full` | |Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` | @@ -124,6 +131,10 @@ The following table lists commands for some of the most common scenarios. Run `m |Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` | |Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` | |Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` | +|Endpoint Detection and Response |Set early preview (unused) |`mdatp edr early-preview [enable|disable]` | +|Endpoint Detection and Response |Set group-id |`mdatp edr group-ids --group-id [group-id]` | +|Endpoint Detection and Response |Set/Remove tag, only `GROUP` supported |`mdatp edr tag set --name GROUP --value [tag]` | +|Endpoint Detection and Response |list exclusions (root) |`mdatp edr exclusion list [processes|paths|extensions|all]` | ## Microsoft Defender for Endpoint portal information @@ -152,6 +163,6 @@ In the Defender for Endpoint portal, you'll see two categories of information: - Logged on users do not appear in the Microsoft Defender Security Center portal. - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: - ```bash + ```bash sudo SUSEConnect --status-text - ``` + ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md new file mode 100644 index 0000000000..f8853d02af --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -0,0 +1,168 @@ +--- +title: How to schedule scans with Microsoft Defender for Endpoint (Linux) +description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. +keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux) +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde +--- + +# Schedule scans with Microsoft Defender for Endpoint (Linux) + +To run a scan for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). + +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. + +## Pre-requisite + +> [!NOTE] +> To get a list of all the time zones, run the following command: +> `timedatectl list-timezones`
        +> Examples for timezones: +> - `America/Los_Angeles` +> - `America/New_York` +> - `America/Chicago` +> - `America/Denver` + +## To set the Cron job +Use the following commands: + +**To backup crontab entries** + +`sudo crontab -l > /var/tmp/cron_backup_200919.dat` + +> [!NOTE] +> Where 200919 == YRMMDD + +> [!TIP] +> Do this before you edit or remove.
        + +To edit the crontab, and add a new job as a root user:
        +`sudo crontab -e` + +> [!NOTE] +> The default editor is VIM. + +You might see: + +0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh + +Press “Insert” + +Add the following entries: + +CRON_TZ=America/Los_Angeles + +0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log + +> [!NOTE] +>In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). + +Press “Esc” + +Type “:wq” without the double quotes. + +> [!NOTE] +> w == write, q == quit + +To view your cron jobs, type `sudo crontab -l` + +:::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp"::: + +**To inspect cron job runs** + +`sudo grep mdatp /var/log/cron` + +**To inspect the mdatp_cron_job.log** + +`sudo nano mdatp_cron_job.log` + +## For those who use Ansible, Chef, or Puppet + +Use the following commands: +### To set cron jobs in Ansible + +`cron – Manage cron.d and crontab entries` + +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. + +### To set crontabs in Chef +`cron resource` + +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. + +### To set cron jobs in Puppet +Resource Type: cron + +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. + +Automating with Puppet: Cron jobs and scheduled tasks + +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. + +## Additional information + +**To get help with crontab** + +`man crontab` + +**To get a list of crontab file of the current user** + +`crontab -l` + +**To get a list of crontab file of another user** + +`crontab -u username -l` + +**To backup crontab entries** + +`crontab -l > /var/tmp/cron_backup.dat` + +> [!TIP] +> Do this before you edit or remove.
        + +**To restore crontab entries** + +`crontab /var/tmp/cron_backup.dat` + +**To edit the crontab and add a new job as a root user** + +`sudo crontab -e` + +**To edit the crontab and add a new job** + +`crontab -e` + +**To edit other user’s crontab entries** + +`crontab -u username -e` + +**To remove all crontab entries** + +`crontab -r` + +**To remove other user’s crontab entries** + +`crontab -u username -r` + +**Explanation** + ++—————- minute (values: 0 – 59) (special characters: , – * /)
        +| +————- hour (values: 0 – 23) (special characters: , – * /)
        +| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)
        +| | | +——- month (values: 1 – 12) (special characters: ,- * / )
        +| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C)
        +| | | | |*****command to be executed + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md index 6f0bf1667a..9f54cc52f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -5,7 +5,7 @@ description: Describes how to configure Microsoft Defender ATP for static proxy keywords: microsoft, defender, atp, linux, installation, proxy search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure Microsoft Defender for Endpoint for Linux for static proxy discovery @@ -26,8 +27,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 74db615cdb..87430c9333 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -1,11 +1,11 @@ --- title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux -ms.reviewer: +ms.reviewer: description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux keywords: microsoft, defender, atp, linux, cloud, connectivity, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,19 +15,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) ## Run the connectivity test @@ -37,8 +39,29 @@ To test if Defender for Endpoint for Linux can communicate to the cloud with the mdatp connectivity test ``` +expected output: + +```output +Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK] +Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK] +Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://v20.events.data.microsoft.com/ping ... [OK] +``` + If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. +Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list. + ## Troubleshooting steps for environments without proxy or with transparent proxy To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md new file mode 100644 index 0000000000..3d8a64c5c6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -0,0 +1,95 @@ +--- +title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux +description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, events +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +mms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.topic: conceptual +ms.technology: mde +--- + +# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint for Linux + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) + +This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal. + +Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. +In case events are not appearing or some types of events are missing, that could indicate some problem. + +## Missing network and login events + +Microsoft Defender for Endpoint utilized `audit` framework from linux to track network and login activity. + +1. Make sure audit framework is working. + + ```bash + service auditd status + ``` + + expected output: + + ```output + ● auditd.service - Security Auditing Service + Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago + Docs: man:auditd(8) + https://github.com/linux-audit/audit-documentation + Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) + Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) + Main PID: 16666 (auditd) + Tasks: 25 + CGroup: /system.slice/auditd.service + ├─16666 /sbin/auditd + ├─16668 /sbin/audispd + ├─16670 /usr/sbin/sedispatch + └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d + ``` + +2. If auditd is stopped, please start it. + + ```bash + service auditd start + ``` + +**On SLES15** systems, SYSCALL auditing in `auditd` is disabled by default and can explain missing events. + +1. To validate that SYSCALL auditing is not disabeld, list the current audit rules: + + ```bash + sudo auditctl -l + ``` + + if the following line is present, please remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs. + + ```output + -a task, never + ``` + + audit rules are located at `/etc/audit/rules.d/audit.rules`. + +## Missing file events + +File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux.md#system-requirements). + +List the filesystems on the machine with: + +```bash +df -Th +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 960de74bcc..1ed0260fb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -1,11 +1,11 @@ --- title: Troubleshoot installation issues for Microsoft Defender ATP for Linux -ms.reviewer: +ms.reviewer: description: Troubleshoot installation issues for Microsoft Defender ATP for Linux keywords: microsoft, defender, atp, linux, installation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,19 +15,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot installation issues for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) ## Verify if installation succeeded @@ -36,9 +38,11 @@ An error in installation may or may not result in a meaningful error message by ```bash sudo journalctl | grep 'microsoft-mdatp' > installation.log ``` + ```bash grep 'postinstall end' installation.log ``` + ```Output microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 ``` @@ -47,6 +51,20 @@ An output from the previous command with correct date and time of installation i Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file. +## Make sure you have the correct package + +Please mind that the package you are installing is matching the host distribution and version. + +| package | distribution | +|-------------------------------|------------------------------------------| +| mdatp-rhel8.Linux.x86_64.rpm | Oracle, RHEL and CentOS 8.x | +| mdatp-sles12.Linux.x86_64.rpm | SuSE Linux Enterprise Server 12.x | +| mdatp-sles15.Linux.x86_64.rpm | SuSE Linux Enterprise Server 15.x | +| mdatp.Linux.x86_64.rpm | Oracle, RHEL and CentOS 7.x | +| mdatp.Linux.x86_64.deb | Debian and Ubuntu 16.04, 18.04 and 20.04 | + +For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen. + ## Installation failed Check if the mdatp service is running: @@ -54,8 +72,9 @@ Check if the mdatp service is running: ```bash systemctl status mdatp ``` + ```Output - ● mdatp.service - Microsoft Defender ATP + ● mdatp.service - Microsoft Defender for Endpoint Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago Main PID: 1966 (wdavdaemon) @@ -69,70 +88,91 @@ systemctl status mdatp ## Steps to troubleshoot if mdatp service isn't running 1. Check if "mdatp" user exists: + ```bash id "mdatp" ``` + If there’s no output, run + ```bash sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp ``` 2. Try enabling and restarting the service using: + ```bash sudo systemctl enable mdatp ``` + ```bash sudo systemctl restart mdatp ``` 3. If mdatp.service isn't found upon running the previous command, run: + ```bash sudo cp /opt/microsoft/mdatp/conf/mdatp.service ``` + where `````` is ```/lib/systemd/system``` for Ubuntu and Debian distributions and - ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. + ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. Then rerun step 2. 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. -5. Ensure that the daemon has executable permission. +5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. + +6. Ensure that the daemon has executable permission. + ```bash ls -l /opt/microsoft/mdatp/sbin/wdavdaemon ``` + ```Output -rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon ``` + If the daemon doesn't have executable permissions, make it executable using: + ```bash sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon ``` + and retry running step 2. -6. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". +7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". ## If mdatp service is running, but EICAR text file detection doesn't work 1. Check the file system type using: + ```bash findmnt -T ``` + Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. ## Command-line tool “mdatp” isn't working 1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command: + ```bash sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp ``` + and try again. If none of the above steps help, collect the diagnostic logs: + ```bash sudo mdatp diagnostic create ``` + ```Output Diagnostic file created: ``` + Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index e8173e8958..9c286456bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -4,7 +4,7 @@ description: Troubleshoot performance issues in Microsoft Defender ATP for Linux keywords: microsoft, defender, atp, linux, performance search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,20 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro mms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot performance issues for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint for Linux. @@ -34,6 +35,8 @@ Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux. +Before starting, **please make sure that other security products are not currently running on the device**. Multiple security products may conflict and impact the host performance. + The following steps can be used to troubleshoot and mitigate these issues: 1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues. @@ -43,19 +46,22 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value disabled ``` + ```Output Configuration property updated ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). -2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. + If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case please contact customer support for further instructions and mitigation. + +2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. > [!NOTE] > This feature is available in version 100.90.70 or newer. - This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: - + This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: + ```bash mdatp config real-time-protection-statistics --value enabled ``` @@ -71,6 +77,7 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value enabled ``` + ```Output Configuration property updated ``` @@ -78,16 +85,66 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json ``` - The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - > [!NOTE] + > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. + + The output of this command will show all processes and their associated scan activity. + +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: + + ```bash + wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py + ``` + + The output of this command should be similar to the following: + + ```Output + --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1020 [text/plain] + Saving to: 'high_cpu_parser.py' + + 100%[===========================================>] 1,020 --.-K/s in 0s + ``` + +4. Next, type the following commands: + + ```bash + chmod +x high_cpu_parser.py + ``` + + ```bash + cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log + ``` + + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. + + For example, the output of the command will be something like the below: + + ```Output + ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + 27432 None 76703 + 73467 actool     1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1    launchd    407 + 73468 ibtool     344 + 549  telemetryd_v1   325 + 4764 None 228 + 125  CrashPlanService 164 + ``` + + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + + >[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. +5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. -4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - - For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-update-MDE-Linux.md b/windows/security/threat-protection/microsoft-defender-atp/linux-update-MDE-Linux.md new file mode 100644 index 0000000000..24da7b0066 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-update-MDE-Linux.md @@ -0,0 +1,183 @@ +--- +title: How to schedule an update of the Microsoft Defender for Endpoint (Linux) +description: Learn how to schedule an update of the Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. +keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux) +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde +--- + +# Schedule an update of the Microsoft Defender for Endpoint (Linux) + +To run an update on Microsoft Defender for Endpoint for Linux, see [Deploy updates for Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-updates). + +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. + +## Pre-requisite + +> [!NOTE] +> To get a list of all the time zones, run the following command: +> `timedatectl list-timezones`
        +> Examples for timezones:
        +> - `America/Los_Angeles` +> - `America/New_York` +> - `America/Chicago` +> - `America/Denver` + +## To set the Cron job +Use the following commands: + +**To backup crontab entries** + +`sudo crontab -l > /var/tmp/cron_backup_201118.dat` + +> [!NOTE] +> Where 201118 == YYMMDD + +> [!TIP] +> Do this before you edit or remove.
        + +To edit the crontab, and add a new job as a root user:
        +`sudo crontab -e` + +> [!NOTE] +> The default editor is VIM. + +You might see: + +0****/etc/opt/microsoft/mdatp/logrorate.sh + +And + +02**sat /bin/mdatp scan quick>~/mdatp_cron_job.log + +See [Schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-atp.md) + +Press “Insert” + +Add the following entries: + +CRON_TZ=America/Los_Angeles + +> #!RHEL and variants (CentOS and Oracle Linux) + +`06**sun[$(date +\%d) -le 15] sudo yum update mdatp>>~/mdatp_cron_job.log` + +> #!SLES and variants + +`06**sun[$(date +\%d) -le 15] sudo zypper update mdatp>>~/mdatp_cron_job.log` + +> #!Ubuntu and Debian systems + +`06**sun [$(date +\%d) -le 15] sudo apt-get install --only-upgrade mdatp>>~/mdatp_cron_job.log` + +> [!NOTE] +> In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == Won’t run unless it’s equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8). + +Press “Esc” + +Type “:wq” w/o the double quotes. + +> [!NOTE] +> w == write, q == quit + +To view your cron jobs, type `sudo crontab -l` + +:::image type="content" source="images/update-MDE-linux-4634577.jpg" alt-text="update MDE linux"::: + +To inspect cron job runs: +`sudo grep mdatp /var/log/cron` + +To inspect the mdatp_cron_job.log +`sudo nano mdatp_cron_job.log` + +## For those who use Ansible, Chef, or Puppet + +Use the following commands: +### To set cron jobs in Ansible + +`cron – Manage cron.d and crontab entries` + +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. + +### To set crontabs in Chef +`cron resource` + +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. + +### To set cron jobs in Puppet +Resource Type: cron + +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. + +Automating with Puppet: Cron jobs and scheduled tasks + +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. + +## Additional information + +**To get help with crontab** + +`man crontab` + +**To get a list of crontab file of the current user** + +`crontab -l` + +**To get a list of crontab file of another user** + +`crontab -u username -l` + +**To backup crontab entries** + +`crontab -l > /var/tmp/cron_backup.dat` + +> [!TIP] +> Do this before you edit or remove.
        + +**To restore crontab entries** + +`crontab /var/tmp/cron_backup.dat` + +**To edit the crontab and add a new job as a root user** + +`sudo crontab -e` + +**To edit the crontab and add a new job** + +`crontab -e` + +**To edit other user’s crontab entries** + +`crontab -u username -e` + +**To remove all crontab entries** + +`crontab -r` + +**To remove other user’s crontab entries** + +`crontab -u username -r` + +**Explanation** + +
        ++—————- minute (values: 0 – 59) (special characters: , – * /)  
        
+| +————- hour (values: 0 – 23) (special characters: , – * /) 
        
+| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)  
        
+| | | +——- month (values: 1 – 12) (special characters: ,- * / )  
        
+| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) 
        
+| | | | |*****command to be executed
+
        + diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md index 7c9fe1e51e..f2f2749165 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md @@ -5,7 +5,7 @@ description: Describes how to deploy updates for Microsoft Defender ATP for Linu keywords: microsoft, defender, atp, linux, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy updates for Microsoft Defender for Endpoint for Linux @@ -26,8 +27,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index 85ee3ab500..fecdb626d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -4,7 +4,7 @@ description: List of major changes for Microsoft Defender ATP for Linux. keywords: microsoft, defender, atp, linux, whatsnew, release search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: security ms.sitesec: library ms.pagetype: security @@ -14,15 +14,26 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # What's new in Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +## 101.18.53 + +- EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539) +- Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`) +- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory +- Performance improvements & bug fixes + +## 101.12.99 + +- Performance improvements & bug fixes ## 101.04.76 diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 7c5bb16771..92ac9ef16f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -1,10 +1,10 @@ --- title: Live response command examples description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used. -keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file +keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Live response command examples @@ -23,8 +24,10 @@ ms.topic: article **Applies to:** -- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Learn about common commands used in live response and see examples on how they are typically used. @@ -107,7 +110,7 @@ getfile c:\Users\user\Desktop\work.txt -auto > * Empty files > * Virtual files, or files that are not fully present locally > -> These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/). +> These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/?&preserve-view=true). > > Use PowerShell as an alternative, if you have problems using this command from within Live Response. @@ -158,7 +161,7 @@ registry HKEY_CURRENT_USER\Console ``` # Show information about a specific registry value -registry HKEY_CURRENT_USER\Console\ScreenBufferSize +registry HKEY_CURRENT_USER\Console\\ScreenBufferSize ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 312550fb3f..cf0e1e7fd8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,10 +1,10 @@ --- title: Investigate entities on devices using live response in Microsoft Defender ATP description: Access a device using a secure remote shell connection to do investigative work and take immediate response actions on a device in real time. -keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, +keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Investigate entities on devices using live response [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) + Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time. Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

        @@ -43,25 +46,30 @@ With live response, analysts can do all of the following tasks: Before you can initiate a session on a device, make sure you fulfill the following requirements: -- **Verify that you're running a supported version of Windows 10**.
        -Devices must be running one of the following versions of Windows 10: - - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later - - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) - - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) - - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) - - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- **Verify that you're running a supported version of Windows**.
        +Devices must be running one of the following versions of Windows -- **Make sure to install appropriate security updates**.
        - - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384) - - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) - - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) - - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) + - **Windows 10** + - [Version 1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later + - [Version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384) + - [Version 1809 (RS 5)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) + - [Version 1803 (RS 4)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) + - [Version 1709 (RS 3)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) + + - **Windows Server 2019 - Only applicable for Public preview** + - Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later + - Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818)) -- **Enable live response from the settings page**.
        +- **Enable live response from the advanced settings page**.
        You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. >[!NOTE] >Only users with manage security or global admin roles can edit these settings. + +- **Enable live response for servers from the advanced settings page** (recommended).
        + + >[!NOTE] + >Only users with manage security or global admin roles can edit these settings. - **Ensure that the device has an Automation Remediation level assigned to it**.
        You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group. @@ -186,7 +194,7 @@ Here are some examples: |Command |What it does | |---------|---------| -|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | +|`Download "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | |`fg 1234` |Returns a download with command ID *1234* to the foreground. | @@ -293,6 +301,7 @@ Each command is tracked with full details such as: - Live response sessions are limited to 10 live response sessions at a time. - Large-scale command execution is not supported. +- Live response session inactive timeout value is 5 minutes. - A user can only initiate one session at a time. - A device can only be in one session at a time. - The following file size limits apply: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 04b95ce93b..1e866f42d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -4,7 +4,7 @@ description: Provide and validate exclusions for Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender for Endpoint for Mac @@ -25,8 +26,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. @@ -58,6 +61,9 @@ Wildcard | Description | Example | Matches | Does not match \* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log` ? | Matches any single character | `file?.log` | `file1.log`
        `file2.log` | `file123.log` +>[!NOTE] +>The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist. + ## How to configure the list of exclusions ### From the management console diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md index d1f6337306..8989813e71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md @@ -4,7 +4,7 @@ description: Log in to Jamf Pro keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,31 +14,33 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Log in to Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) 1. Enter your credentials. - ![Image of Jamf Pro dashboard](images/jamf-pro-portal1.png) + ![Image of Jamf Pro dashboard1](images/jamf-pro-portal1.png) 2. Select **Computers**. - ![Image of Jamf Pro dashboard](images/jamf-pro-dashboard.png) + ![Image of Jamf Pro dashboard2](images/jamf-pro-dashboard.png) 3. You will see the settings that are available. - ![Image of Jamf Pro dashboard](images/jamfpro-settings.png) + ![Image of Jamf Pro dashboard3](images/jamfpro-settings.png) ## Next step diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 7f15b5ad73..515ed636df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -4,7 +4,7 @@ description: Install Microsoft Defender ATP for macOS manually, from the command keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Manual deployment for Microsoft Defender for Endpoint for macOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for macOS](microsoft-defender-atp-mac.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) This topic describes how to deploy Microsoft Defender for Endpoint for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) @@ -57,16 +59,16 @@ To complete this process, you must have admin privileges on the device. 1. Navigate to the downloaded wdav.pkg in Finder and open it. - ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-28-AppInstall.png) + ![App install screenshot1](../microsoft-defender-antivirus/images/MDATP-28-AppInstall.png) 2. Select **Continue**, agree with the License terms, and enter the password when prompted. - ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-29-AppInstallLogin.png) + ![App install screenshot2](../microsoft-defender-antivirus/images/MDATP-29-AppInstallLogin.png) > [!IMPORTANT] > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-30-SystemExtension.png) + ![App install screenshot3](../microsoft-defender-antivirus/images/MDATP-30-SystemExtension.png) 3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: @@ -86,7 +88,7 @@ To complete this process, you must have admin privileges on the device. 1. Navigate to the downloaded wdav.pkg in Finder and open it. - ![App install screenshot](images/big-sur-install-1.png) + ![App install screenshot4](images/big-sur-install-1.png) 2. Select **Continue**, agree with the License terms, and enter the password when prompted. @@ -96,13 +98,13 @@ To complete this process, you must have admin privileges on the device. 4. From the **Security & Privacy** window, select **Allow**. - ![System extension security preferences](images/big-sur-install-3.png) + ![System extension security preferences1](images/big-sur-install-3.png) 5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint for Mac. 6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**. - ![System extension security preferences](images/big-sur-install-4.png) + ![System extension security preferences2](images/big-sur-install-4.png) 7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**. @@ -115,7 +117,7 @@ To complete this process, you must have admin privileges on the device. The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash - mdatp --health orgId + mdatp health --field org_id ``` 2. Run the Python script to install the configuration file: @@ -127,7 +129,7 @@ To complete this process, you must have admin privileges on the device. 3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash - mdatp --health orgId + mdatp health --field org_id ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 87c1b96104..e0cb7de973 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -1,10 +1,10 @@ --- title: Intune-based deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac, using Microsoft Intune. +description: Install Microsoft Defender for Endpoint for Mac, using Microsoft Intune. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Intune-based deployment for Microsoft Defender for Endpoint for Mac @@ -42,7 +43,7 @@ This topic describes how to deploy Microsoft Defender for Endpoint for Mac throu ## Prerequisites and system requirements -Before you get started, see [the main MIcrosoft Defender for EndpointP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender for Endpoint for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Overview @@ -56,7 +57,7 @@ The following table summarizes the steps you would need to take to deploy and ma | [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | | [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | -| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

        **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

        **Note:** If you are planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | | [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 1585ac5850..9ca979d54b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -4,7 +4,7 @@ description: Deploying Microsoft Defender ATP for macOS with Jamf Pro keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro @@ -25,12 +26,17 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Learn how to deploy Microsoft Defender for Endpoint for macOS with Jamf Pro. -This is a multi step process. You'll need to complete all of the following steps: +> [!NOTE] +> If you are using macOS Catalina (10.15.4) or newer versions of macOS, see [New configuration profiles for macOS Catalina and newer versions of macOS](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies). + +This is a multistep process. You'll need to complete all of the following steps: - [Login to the Jamf Portal](mac-install-jamfpro-login.md) - [Setup the Microsoft Defender for Endpoint for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md) @@ -40,4 +46,3 @@ This is a multi step process. You'll need to complete all of the following steps - diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 68a77f3f8f..1138236d4b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -4,7 +4,7 @@ description: Install Microsoft Defender ATP for Mac on other management solution keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint for Mac @@ -25,8 +26,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) ## Prerequisites and system requirements @@ -95,7 +98,7 @@ Grant Full Disk Access to the following components: - Identifier Type: Bundle ID - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9 -- Microsoft Defender for Endpoint Endpoint Security Extension +- Microsoft Defender for Endpoint Security Extension - Identifier: `com.microsoft.wdav.epsext` - Identifier Type: Bundle ID - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 @@ -112,4 +115,4 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender ## Check installation status -Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status. +Run [Microsoft Defender for Endpoint](mac-install-with-jamf.md) on a client device to check the onboarding status. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index d0bde6a3d1..d6c2b96c1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -4,7 +4,7 @@ description: Learn how to set up device groups in Jamf Pro for Microsoft Defende keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Set up Microsoft c for macOS device groups in Jamf Pro +# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Set up the device groups similar to Group policy organizational unite (OUs), Microsoft Endpoint Configuration Manager's device collection, and Intune's device groups. @@ -34,15 +36,15 @@ Set up the device groups similar to Group policy organizational unite (OUs), Mi 2. Select **New**. - ![Image of Jamf Pro](images/jamf-pro-static-group.png) + ![Image of Jamf Pro1](images/jamf-pro-static-group.png) 3. Provide a display name and select **Save**. - ![Image of Jamf Pro](images/jamfpro-machine-group.png) + ![Image of Jamf Pro2](images/jamfpro-machine-group.png) 4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**. - ![Image of Jamf Pro](images/contoso-machine-group.png) + ![Image of Jamf Pro3](images/contoso-machine-group.png) ## Next step - [Set up Microsoft Defender for Endpoint for macOS policies in Jamf Pro](mac-jamfpro-policies.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md index d6954e0d90..584cf1782d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md @@ -1,10 +1,10 @@ --- -title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro -description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro +title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro +description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro @@ -25,8 +26,10 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) ## Enroll macOS devices @@ -44,7 +47,7 @@ For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c 1. In the Jamf Pro dashboard, navigate to **Enrollment invitations**. - ![Image of configuration settings](images/a347307458d6a9bbfa88df7dbe15398f.png) + ![Image of configuration settings1](images/a347307458d6a9bbfa88df7dbe15398f.png) 2. Select **+ New**. @@ -52,29 +55,29 @@ For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c 3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients. - ![Image of configuration settings](images/718b9d609f9f77c8b13ba88c4c0abe5d.png) + ![Image of configuration settings2](images/718b9d609f9f77c8b13ba88c4c0abe5d.png) - ![Image of configuration settings](images/ae3597247b6bc7c5347cf56ab1e820c0.png) + ![Image of configuration settings3](images/ae3597247b6bc7c5347cf56ab1e820c0.png) For example: janedoe@contoso.com - ![Image of configuration settings](images/4922c0fcdde4c7f73242b13bf5e35c19.png) + ![Image of configuration settings4](images/4922c0fcdde4c7f73242b13bf5e35c19.png) 4. Configure the message for the invitation. - ![Image of configuration settings](images/ce580aec080512d44a37ff8e82e5c2ac.png) + ![Image of configuration settings5](images/ce580aec080512d44a37ff8e82e5c2ac.png) - ![Image of configuration settings](images/5856b765a6ce677caacb130ca36b1a62.png) + ![Image of configuration settings6](images/5856b765a6ce677caacb130ca36b1a62.png) - ![Image of configuration settings](images/3ced5383a6be788486d89d407d042f28.png) + ![Image of configuration settings7](images/3ced5383a6be788486d89d407d042f28.png) - ![Image of configuration settings](images/54be9c6ed5b24cebe628dc3cd9ca4089.png) + ![Image of configuration settings8](images/54be9c6ed5b24cebe628dc3cd9ca4089.png) ## Enrollment Method 2: Prestage Enrollments 1. In the Jamf Pro dashboard, navigate to **Prestage enrollments**. - ![Image of configuration settings](images/6fd0cb2bbb0e60a623829c91fd0826ab.png) + ![Image of configuration settings9](images/6fd0cb2bbb0e60a623829c91fd0826ab.png) 2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html). @@ -82,24 +85,24 @@ For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c 1. Select **Continue** and install the CA certificate from a **System Preferences** window. - ![Image of Jamf Pro enrollment](images/jamfpro-ca-certificate.png) + ![Image of Jamf Pro enrollment1](images/jamfpro-ca-certificate.png) 2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile. - ![Image of Jamf Pro enrollment](images/jamfpro-install-mdm-profile.png) + ![Image of Jamf Pro enrollment2](images/jamfpro-install-mdm-profile.png) 3. Select **Allow** to downloads from JAMF. - ![Image of Jamf Pro enrollment](images/jamfpro-download.png) + ![Image of Jamf Pro enrollment3](images/jamfpro-download.png) 4. Select **Continue** to proceed with the MDM Profile installation. - ![Image of Jamf Pro enrollment](images/jamfpro-install-mdm.png) + ![Image of Jamf Pro enrollment4](images/jamfpro-install-mdm.png) 5. Select **Continue** to install the MDM Profile. - ![Image of Jamf Pro enrollment](images/jamfpro-mdm-unverified.png) + ![Image of Jamf Pro enrollment5](images/jamfpro-mdm-unverified.png) 6. Select **Continue** to complete the configuration. - ![Image of Jamf Pro enrollment](images/jamfpro-mdm-profile.png) + ![Image of Jamf Pro enrollment6](images/jamfpro-mdm-profile.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 5faeec9c8d..780f0d40dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -4,7 +4,7 @@ description: Learn how to set up the Microsoft Defender ATP for macOS policies i keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro @@ -750,18 +751,14 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Navigate to **Advanced Computer Searches**. - - ![A screenshot of a social media post Description automatically generated](images/95313facfdd5e1ea361981e0a2478fec.png) - -5. Select **Computer Management**. +4. Select your computer and click the gear icon at the top, then select **Computer Management**. ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) -6. In **Packages**, select **+ New**. +5. In **Packages**, select **+ New**. ![A picture containing bird Description automatically generated](images/57aa4d21e2ccc65466bf284701d4e961.png) -7. In **New Package** Enter the following details: +6. In **New Package** Enter the following details: **General tab** - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg. @@ -774,15 +771,17 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![A screenshot of a computer screen Description automatically generated](images/1aa5aaa0a387f4e16ce55b66facc77d1.png) -8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. + **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File. + **Options tab**
        Keep default values. **Limitations tab**
        Keep default values. ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png) -9. Select **Save**. The package is uploaded to Jamf Pro. +8. Select **Save**. The package is uploaded to Jamf Pro. ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) @@ -790,45 +789,45 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png) -10. Navigate to the **Policies** page. +9. Navigate to the **Policies** page. ![Image of configuration settings](images/f878f8efa5ebc92d069f4b8f79f62c7f.png) -11. Select **+ New** to create a new policy. +10. Select **+ New** to create a new policy. ![Image of configuration settings](images/847b70e54ed04787e415f5180414b310.png) -12. In **General** Enter the following details: +11. In **General** Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later ![Image of configuration settings](images/625ba6d19e8597f05e4907298a454d28.png) -13. Select **Recurring Check-in**. +12. Select **Recurring Check-in**. ![Image of configuration settings](images/68bdbc5754dfc80aa1a024dde0fce7b0.png) -14. Select **Save**. +13. Select **Save**. -15. Select **Packages > Configure**. +14. Select **Packages > Configure**. ![Image of configuration settings](images/8fb4cc03721e1efb4a15867d5241ebfb.png) -16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png) -17. Select **Save**. +16. Select **Save**. ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png) -18. Select the **Scope** tab. +17. Select the **Scope** tab. ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png) -19. Select the target computers. +18. Select the target computers. ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png) @@ -844,7 +843,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png) -20. Select **Done**. +19. Select **Done**. ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) @@ -853,4 +852,3 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint - diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 615f212fd6..0c8ecdb75c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -4,7 +4,7 @@ description: Configure Microsoft Defender ATP for Mac in enterprise organization keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Set preferences for Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index 2bf5eaf608..2c0d778f02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -4,7 +4,7 @@ description: Privacy controls, how to configure policy settings that impact priv keywords: microsoft, defender, atp, mac, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,22 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Privacy for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender for Endpoint for Mac. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index 7668c4bfd0..2dcf7cdb1d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -4,7 +4,7 @@ description: Detect and block Potentially Unwanted Applications (PUA) using Micr keywords: microsoft, defender, atp, mac, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,22 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) The potentially unwanted application (PUA) protection feature in Microsoft Defender for Endpoint for Mac can detect and block PUA files on endpoints in your network. @@ -58,7 +61,7 @@ You can configure how PUA files are handled from the command line or from the ma In Terminal, execute the following command to configure PUA protection: ```bash -mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block] ``` ### Use the management console to configure PUA protection: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index c6833b26ec..fe3f27eb84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -4,7 +4,7 @@ description: Resources for Microsoft Defender ATP for Mac, including how to unin keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Resources for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Collecting diagnostic information @@ -46,13 +48,13 @@ If you can reproduce a problem, increase the logging level, run the system for s 3. Run `sudo mdatp diagnostic create` to back up the Microsoft Defender for Endpoint logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. - > [!TIP] - > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory. + > [!TIP] + > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory. ```bash sudo mdatp diagnostic create ``` - ```Output + ```console Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip" ``` @@ -61,7 +63,7 @@ If you can reproduce a problem, increase the logging level, run the system for s ```bash mdatp log level set --level info ``` - ```Output + ```console Log level configured successfully ``` @@ -90,7 +92,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Group |Scenario |Command | |-------------|-------------------------------------------|----------------------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` | +|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled/disabled]` | |Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` | |Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` | |Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` | @@ -102,28 +104,27 @@ Important tasks, such as controlling product settings and triggering on-demand s |Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` | |Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` | |Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` | +|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` | |Health |Check the product's health |`mdatp health` | |Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` | -|Protection |Scan a path |`mdatp scan custom --path [path]` | +|Protection |Scan a path |`mdatp scan custom --path [path] [--ignore-exclusions]` | |Protection |Do a quick scan |`mdatp scan quick` | |Protection |Do a full scan |`mdatp scan full` | |Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` | |Protection |Request a security intelligence update |`mdatp definitions update` | -|EDR |Turn on/off EDR preview for Mac |`mdatp edr early-preview [enabled/disabled]` | |EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp edr tag set --name GROUP --value [name]` | |EDR |Remove group tag from device |`mdatp edr tag remove --tag-name [name]` | -|EDR |Add Group Id |`mdatp edr group-ids --group-id [group]` | +|EDR |Add Group ID |`mdatp edr group-ids --group-id [group]` | ### How to enable autocompletion -To enable autocompletion in `Bash`, run the following command and restart the Terminal session: +To enable autocompletion in bash, run the following command and restart the Terminal session: ```bash echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile ``` -To enable autocompletion in `zsh`: +To enable autocompletion in zsh: - Check whether autocompletion is enabled on your device: @@ -131,7 +132,7 @@ To enable autocompletion in `zsh`: cat ~/.zshrc | grep autoload ``` -- If the above command does not produce any output, you can enable autocompletion using the following command: +- If the preceding command does not produce any output, you can enable autocompletion using the following command: ```zsh echo "autoload -Uz compinit && compinit" >> ~/.zshrc @@ -148,8 +149,8 @@ To enable autocompletion in `zsh`: ## Client Microsoft Defender for Endpoint quarantine directory -`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`. ## Microsoft Defender for Endpoint portal information -[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender for Endpoint Security Center. +[EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801), on the Microsoft Defender for Endpoint blog, provides detailed guidance on what to expect in Microsoft Defender for Endpoint Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index 98d0151efc..a053822f50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -4,7 +4,7 @@ description: Learn how to schedule an automatic scanning time for Microsoft Defe keywords: microsoft, defender, atp, mac, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,15 +14,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Schedule scans with Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. @@ -46,7 +52,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. sh -c - /usr/local/bin/mdatp --scan --quick + /usr/local/bin/mdatp scan quick RunAtLoad @@ -61,8 +67,6 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. Weekday 5 - StartInterval - 604800 WorkingDirectory /usr/local/bin/ @@ -72,7 +76,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. 2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. 3. Open **Terminal**. 4. Enter the following commands to load your file: @@ -84,7 +88,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. 5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday. - Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. + The `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. > [!IMPORTANT] > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md index 4df09099cf..794b22f614 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md @@ -4,7 +4,7 @@ description: Troubleshoot installation issues in Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, install search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot installation issues for Microsoft Defender for Endpoint for Mac @@ -27,6 +28,10 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Installation failed diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index 9241a56fdf..dac89cd0e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -4,7 +4,7 @@ description: Troubleshoot kernel extension-related issues in Microsoft Defender keywords: microsoft, defender, atp, mac, kernel, extension search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot kernel extension issues in Microsoft Defender for Endpoint for Mac @@ -27,6 +28,10 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender for Endpoint for Mac. @@ -36,15 +41,15 @@ If you did not approve the kernel extension during the deployment/installation o ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) -You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. +You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. ```bash -mdatp --health +mdatp health ``` ```Output ... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true +real_time_protection_enabled : false +real_time_protection_available : true ... ``` @@ -89,15 +94,15 @@ In this case, you need to perform the following steps to trigger the approval fl sudo kextutil /Library/Extensions/wdavkext.kext ``` - The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available: ```bash - mdatp --health + mdatp health ``` ```Output ... - realTimeProtectionAvailable : true - realTimeProtectionEnabled : true + real_time_protection_enabled : true + real_time_protection_available : true ... ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md index 742a7507d0..f5fffd8908 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md @@ -4,7 +4,7 @@ description: Troubleshoot license issues in Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, performance search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot license issues for Microsoft Defender for Endpoint for Mac @@ -27,6 +28,10 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) While you are going through [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error: @@ -42,7 +47,7 @@ Contact your administrator for help. **Cause:** -You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package"). +You deployed and/or installed the Microsoft Defender for Endpoint for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package"). **Solution:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 40e8240cbf..f7fc2a6d90 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -4,7 +4,7 @@ description: Troubleshoot performance issues in Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, performance search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshoot performance issues for Microsoft Defender for Endpoint for Mac @@ -27,6 +28,10 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender for Endpoint for Mac. @@ -42,13 +47,13 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. - ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) + ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) - From the Terminal. For security purposes, this operation requires elevation. - ```bash - mdatp --config realTimeProtectionEnabled false - ``` + ```bash + mdatp config real-time-protection --value disabled + ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 9b20ff2260..87e9d428dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -4,7 +4,7 @@ description: This topic describes the changes that are must be made in order to keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: security ms.sitesec: library ms.pagetype: security @@ -14,16 +14,22 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ROBOTS: noindex,nofollow +ms.technology: mde --- # New configuration profiles for macOS Catalina and newer versions of macOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS. @@ -150,13 +156,13 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender 4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: ```bash - $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "" -i /com.microsoft.network-extension.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig ``` For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents: ```bash - $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig ``` 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 9eacf9f1c6..d77b0c8e35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender ATP for Mac - System Extensions (Public Preview) +title: Microsoft Defender ATP for Mac - system extensions (Preview) description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender ATP for Mac. This functionality is currently in public preview. keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: security ms.sitesec: library ms.pagetype: security @@ -14,80 +14,85 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ROBOTS: noindex,nofollow +ms.technology: mde --- -# Microsoft Defender for Endpoint for Mac - System Extensions (Public Preview) -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +# Microsoft Defender for Endpoint for Mac - system extensions public preview) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -In alignment with macOS evolution, we are preparing a Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This functionality is currently in public preview. This article contains instructions for enabling this functionality on your device. You can choose to try out this feature locally on your own device or configure it remotely through a management tool. +In alignment with macOS evolution, we are preparing a Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. This update will only apply to macOS Catalina (10.15.4) and later versions of macOS. + +This functionality is currently in public preview. This article describes how to enable this functionality on your device. You can try out this feature locally on your own device or configure it remotely through a management tool. These steps assume you already have Defender for Endpoint running on your device. For more information, see [this page](microsoft-defender-atp-mac.md). ## Known issues -- We’ve received reports of the network extension interfering with Apple SSO Kerberos extension. +- We’ve received reports of the network extension interfering with the Apple SSO Kerberos extension. - The current version of the product still installs a kernel extension. The kernel extension is only used as a fallback mechanism and will be removed before this feature reaches public preview. -- We are still working on a product version that deploys and functions properly on macOS 11 Big Sur. +- We're still working on a product version that deploys and functions properly on macOS 11 Big Sur. ## Deployment prerequisites -- Minimum operating system version: **10.15.4** +- Minimum macOS operating system version: **10.15.4** - Minimum product version: **101.03.73** -- Your device must be in the **Insider Fast update channel**. You can check the update channel using the following command: +- Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command: -```bash -mdatp --health releaseRing -``` + ```bash + mdatp health --field release_ring + ``` -If your device is not already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted). + If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted). -```bash -defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast -``` + ```bash + defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast + ``` -Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [this page](mac-updates.md#set-the-channel-name). + Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name). ## Deployment steps -Select the deployment steps corresponding to your environment and your preferred method of trying out this feature. +Follow the deployment steps that correspond to your environment and your preferred method of trying out this feature. ### Manual deployment -#### Approve the system extensions & enable the network extension +#### Approve the system extensions and enable the network extension -Once all deployment prerequisites are met, restart your device to start the system extension approval and activation process. +1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process. -You will be presented series of system prompts to approve the Defender for Endpoint system extensions. You must approve ALL prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. + You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. + + For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. -For each approval, click **Open Security Preferences** and then click **Allow** to allow the system extension to run. + > [!IMPORTANT] + > You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval. -> [!IMPORTANT] -> Between subsequent approvals, you must close and re-open the **System Preferences** > **Security & Privacy** window, otherwise macOS will not display the next approval. + > [!IMPORTANT] + > There is a one-minute timeout before the product falls back to the kernel extension. This ensures that the device is protected. + > + > If more than one minute elapses, restart the daemon by rebooting the device or by using `sudo killall -9 wdavdaemon` to trigger the approval flow again. -> [!IMPORTANT] -> There is a one minute timeout before the product falls back to the kernel extension (to ensure that the device is protected). -> -> If more than one minute has elapsed, restart the daemon (by rebooting the device or using `sudo killall -9 wdavdaemon`) in order to trigger the approval flow again. + ![System extension approval pop-up](images/mac-system-extension-approval.png) -![System extension approval pop-up](images/mac-system-extension-approval.png) + ![System extension approval window](images/mac-system-extension-pref.png) -![System extension approval window](images/mac-system-extension-pref.png) +1. After the system extensions are approved, macOS prompts for an approval to allow network traffic to be filtered. Click **Allow**. -Following the approval of the system extensions, macOS will prompt for an approval to allow network traffic to be filtered. Click **Allow**. - -![Network extension approval pop-up](images/mac-system-extension-filter.png) + ![Network extension approval pop-up](images/mac-system-extension-filter.png) #### Grant Full Disk Access to the Endpoint Security system extension -Open **System Preferences** > **Security & Privacy** > **Privacy** tab and grant **Full Disk Access** to the **Microsoft Defender Endpoint Security Extension**. +Open the **System Preferences** > **Security & Privacy** > **Privacy** tab and grant **Full Disk Access** to the **Microsoft Defender Endpoint Security Extension**. ![Full disk access for Endpoint Security system extension](images/mac-system-extension-fda.png) @@ -107,46 +112,46 @@ Terminal output `endpoint_security_extension` indicates the product is using the ### Managed deployment -Refer to [this page](mac-sysext-policies.md#jamf) for the new configuration profiles that must be deployed for this new feature. +Refer to [New configuration profiles for macOS Catalina and newer versions of macOS: JAMF](mac-sysext-policies.md#jamf) for the new configuration profiles you must deploy for this new feature. -In addition to those profiles, make sure the target devices are also configured to be in the Insider Fast update channel, as described in [this section](#deployment-prerequisites). +In addition to those profiles, make sure to configure the target devices to be in the Insider Fast update channel, as described in [Deployment prerequisites](#deployment-prerequisites). -On a device where all prerequisites are met and the new configuration profiles have been deployed, run: +On a device where all prerequisites are met and the new configuration profiles have been deployed, run the following command: ```bash $ mdatp health --field real_time_protection_subsystem ``` -If this command prints `endpoint_security_extension`, then the product is using the system extensions functionality. +If this command prints `endpoint_security_extension`, the product is using the system extensions functionality. ## Validate basic scenarios -1. Test EICAR detection. From a Terminal window, run: +1. Test European Institute for Computer Antivirus Research (EICAR) detection. From a Terminal window, run the following command: -```bash -curl -o eicar.txt https://secure.eicar.org/eicar.com.txt -``` + ```bash + curl -o eicar.txt https://secure.eicar.org/eicar.com.txt + ``` - Verify that the EICAR file is quarantined. This verification can be done from the user interface (from the Protection History page) or command line using the following command: + Verify that the EICAR file is quarantined. You can verify the file's status on the Protection History page in the user interface, or from a command line by using the following command: -```bash -mdatp threat list -``` + ```bash + mdatp threat list + ``` -2. Test EDR DIY scenario. From a terminal window, run: +2. Test the Endpoint Detection and Response (EDR) DIY scenario. From a terminal window, run the following command: -```bash -curl -o "MDATP MacOS DIY.zip" https://aka.ms/mdatpmacosdiy -``` + ```bash + curl -o "MDATP MacOS DIY.zip" https://aka.ms/mdatpmacosdiy + ``` - Validate that two alerts have popped up in the portal in the machine page for EICAR and EDR DIY scenarios. + Validate that two alerts popped up in the portal on the machine page for EICAR and EDR DIY scenarios. ## Frequently asked questions - Q: Why am I still seeing `kernel_extension` when I run `mdatp health --field real_time_protection_subsystem`? - - A: Refer back to the [Deployment prerequisites](#deployment-prerequisites) section and double-check all of them are met. If all prerequisites are met, restart your device and check again. -- Q: When is macOS 11 Big Sur going to be supported? + A: Refer back to the [Deployment prerequisites](#deployment-prerequisites) section and double-check that all prerequisites are met. If all prerequisites are met, restart your device and check again. - A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md). +- Q: When will macOS 11 Big Sur be supported? + + A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md) page. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md index 7db11e8873..f5f21dd264 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md @@ -4,7 +4,7 @@ description: Control updates for Microsoft Defender ATP for Mac in enterprise en keywords: microsoft, defender, atp, mac, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy updates for Microsoft Defender for Endpoint for Mac @@ -27,6 +28,10 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 7c00c8af5a..093e303240 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -4,7 +4,7 @@ description: Learn about the major changes for previous versions of Microsoft De keywords: microsoft, defender, atp, mac, installation, macos, whatsnew search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: security ms.sitesec: library ms.pagetype: security @@ -14,34 +14,55 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # What's new in Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) > [!IMPORTANT] -> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender for Endpoint for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender for Endpoint for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11. -> -> The update is applicable to devices running macOS version 10.15.4 or later. -> -> To ensure that the Microsoft Defender for Endpoint for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender for Endpoint for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions. -> -> Timing: -> - Organizations that previously opted into Microsoft Defender for Endpoint preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender for Endpoint for Mac agent update **by August 10, 2020**. -> - Organizations that do not participate in public previews for Microsoft Defender for Endpoint features, must be ready **by September 07, 2020**. -> -> Action is needed by IT administrator. Review the steps below and assess the impact on your organization: -> -> 1. Deploy the specified remote configuration to eligible macOS devices before Microsoft publishes the new agent version.
        -> Even though Microsoft Defender for Endpoint for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender for Endpoint for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade. -> -> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). -> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update. +> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md). + +> [!IMPORTANT] +> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021. + +## 101.19.88 (20.121011.11988.0) + +- Performance improvements & bug fixes + +## 101.19.48 (20.120121.11948.0) + +> [!NOTE] +> The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line). + +- Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac +- Performance improvements & bug fixes + +## 101.19.21 (20.120101.11921.0) + +- Bug fixes + +## 101.15.26 (20.120102.11526.0) + +- Improved the reliability of the agent when running on macOS 11 Big Sur +- Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`) +- Performance improvements & bug fixes + +## 101.13.75 (20.120101.11375.0) + +- Removed conditions when Microsoft Defender for Endpoint was triggering a macOS 11 (Big Sur) bug that manifests into a kernel panic +- Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur) +- Bug fixes ## 101.10.72 @@ -57,9 +78,6 @@ ms.topic: conceptual - This product version has been validated on macOS Big Sur 11 beta 9 - > [!IMPORTANT] - > Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. - - The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender for Endpoint for Mac](mac-resources.md#configuring-from-the-command-line) > [!NOTE] @@ -165,7 +183,7 @@ ms.topic: conceptual - Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service ```bash - mdatp --connectivity-test + mdatp connectivity test ``` - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 3b19a5d4f9..415f9626d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -4,7 +4,7 @@ description: Create device groups and set automated remediation levels on them b keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create and manage device groups @@ -27,6 +28,10 @@ ms.topic: article - Azure Active Directory - Office 365 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 45864dd1d6..50499f53c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -4,7 +4,7 @@ description: Track device health state detections, antivirus status, OS platform keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Device health and compliance report in Microsoft Defender for Endpoint @@ -24,8 +25,11 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. The dashboard is structured into two sections: diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 73940895f1..33158122e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -4,7 +4,7 @@ description: Use device tags to group devices to capture context and enable dyna keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,14 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create and manage device tags [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md). @@ -51,16 +57,17 @@ To add device tags using API, see [Add or remove device tags API](add-or-remove- 3. Type to find or create tags - ![Image of adding tags on a device](images/new-tags.png) + ![Image of adding tags on a device1](images/new-tags.png) Tags are added to the device view and will also be reflected on the **Devices list** view. You can then use the **Tags** filter to see the relevant list of devices. >[!NOTE] -> Filtering might not work on tag names that contain parenthesis. +> Filtering might not work on tag names that contain parenthesis.
        +> When you create a new tag, a list of existing tags are displayed. The list only shows tags created through the portal. Existing tags created from client devices will not be displayed. You can also delete tags from this view. -![Image of adding tags on a device](images/more-manage-tags.png) +![Image of adding tags on a device2](images/more-manage-tags.png) ## Add device tags by setting a registry key value diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index b234d37124..93a132cb3a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -3,7 +3,7 @@ title: Machine resource type description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection. keywords: apis, supported apis, get, machines search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Machine resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] [!include[Prerelease information](../../includes/prerelease.md)] @@ -40,6 +46,7 @@ Method|Return Type |Description [Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID. [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. +[Find machines by tag](find-machines-by-tag.md) | [machine](machine.md) collection | Find machines by [Tag](machine-tags.md). [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID [Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md). @@ -50,19 +57,21 @@ Property | Type | Description id | String | [machine](machine.md) identity. computerDnsName | String | [machine](machine.md) fully qualified name. firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. -lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. +lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours. osPlatform | String | Operating system platform. +osProcessor | String | Operating system processor. version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. -healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. -rbacGroupId | Int | Machine group unique ID. -riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. +riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined). machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. +ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md). + diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index 94f6a0a86b..53f094852d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -3,7 +3,7 @@ title: machineAction resource type description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection. keywords: apis, supported apis, get, machineaction, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # MachineAction resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - For more information, see [Response Actions](respond-machine-alerts.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index c4df93659f..97acdb209c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -4,7 +4,7 @@ description: Learn about the available features that you can use from the Device keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,22 +13,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# View and organize the Microsoft Defender ATP Devices list +# View and organize the Microsoft Defender for Endpoint Devices list [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) -The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days. +The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk. @@ -61,7 +63,7 @@ The exposure level reflects the current exposure of the device based on the cumu If the exposure level says "No data available," there are a few reasons why this may be the case: - Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed -- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md) +- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) - Device with stale agent (very unlikely) ### OS Platform @@ -106,4 +108,4 @@ Filter the list based on the grouping and tagging that you've added to individua ## Related topics -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 9a210d00da..41774a9023 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -4,7 +4,7 @@ description: Change the status of alerts, create suppression rules to hide alert keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Manage Microsoft Defender Advanced Threat Protection alerts +# Manage Microsoft Defender for Endpoint alerts [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) -Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) + +Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device. @@ -43,7 +45,7 @@ If an alert is not yet assigned, you can select **Assign to me** to assign the a ## Suppress alerts -There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. +There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Defender for Endpoint lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. @@ -82,7 +84,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
        - You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Microsoft Defender ATP APIs.

        Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. + You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Defender for Endpoint APIs.

        Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Defender for Endpoint APIs. 5. Enter a rule name and a comment. @@ -120,10 +122,10 @@ Added comments instantly appear on the pane. ## Related topics - [Manage suppression rules](manage-suppression-rules.md) -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md index a0a93f2dc7..c1a3662efb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md @@ -4,8 +4,8 @@ description: Learn how to manage Microsoft Defender for Endpoint with Configurat keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.topic: article ms.date: 09/22/2020 ms.reviewer: chventou @@ -26,9 +26,12 @@ ms.reviewer: chventou [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints). - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md index c9fe3f4c85..c200ef678f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md @@ -4,8 +4,8 @@ description: Learn how to manage Microsoft Defender for Endpoint with Group Poli keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.topic: article ms.date: 09/22/2020 ms.reviewer: chventou @@ -26,9 +26,12 @@ ms.reviewer: chventou [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + > [!NOTE] > We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md index 36d77dce37..093f7f6712 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md @@ -4,8 +4,8 @@ description: Learn how to manage Microsoft Defender for Endpoint with Intune keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.topic: article ms.date: 09/22/2020 ms.reviewer: chventou @@ -26,9 +26,11 @@ ms.reviewer: chventou [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). @@ -61,7 +63,7 @@ The following table lists various tasks you can perform to configure Microsoft D |**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) | |**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)

        [Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) | |**If necessary, specify exclusions for Microsoft Defender Antivirus**

        *Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)

        [Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)

        [Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)| -|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers

        *Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)

        [Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)

        [Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)

        [Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | +|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers

        *Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint ](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)

        [Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)

        [Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)

        [Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | |**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations

        *Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*

        *Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)

        [Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) | |**Configure controlled folder access** to protect against ransomware

        *[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)

        [Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) | |**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices

        *[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)

        [Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) | diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md index 339857a351..e37ba456ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md @@ -4,8 +4,8 @@ description: Learn how to manage Microsoft Defender for Endpoint with PowerShell keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.topic: article ms.date: 09/22/2020 ms.reviewer: chventou @@ -26,9 +26,11 @@ ms.reviewer: chventou [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) > [!NOTE] > We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index 7d186a373a..99daf91009 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -4,8 +4,8 @@ description: Now that you've made the switch to Microsoft Defender for Endpoint, keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,10 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.topic: conceptual -ms.date: 09/22/2020 +ms.date: 01/26/2021 ms.reviewer: chventou --- @@ -26,9 +26,11 @@ ms.reviewer: chventou [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy). @@ -39,7 +41,10 @@ The following table lists various tools/methods you can use, with links to learn |---------|---------| |**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture.

        See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). | |**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.

        See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). | -|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.

        See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). | +|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.

        See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). | |**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).

        See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). | |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*

        You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).

        You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).

        You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). | +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index ab130cb910..9ca811142b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -1,10 +1,10 @@ --- -title: Review and approve remediation actions following automated investigations in the Microsoft Defender Security Center +title: Review remediation actions following automated investigations description: Review and approve (or reject) remediation actions following an automated investigation. -keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export +keywords: autoir, automated, investigation, detection, remediation, action, pending, approved search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,13 +14,14 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual -ms.date: 09/15/2020 +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: how-to +ms.date: 01/29/2021 +ms.technology: mde --- -# Review and approve remediation actions following an automated investigation +# Review remediation actions following an automated investigation [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -39,28 +40,66 @@ remediation actions can occur automatically or only upon approval by your organi Here are a few examples: -- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (this is the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).) +- **Example 1**: Fabrikam's device groups are set to **Full - remediate threats automatically** (the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation (see [Review completed actions](#review-completed-actions)). -- Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).) +- **Example 2**: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation (see [Review pending actions](#review-pending-actions)). -- Example 3: Tailspin Toys has their device groups set to **No automated response** (this is not recommended). In this case, automated investigations do not occur. As a result, no remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups)) +- **Example 3**: Tailspin Toys has their device groups set to **No automated response** (not recommended). In this case, automated investigations do not occur. No remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices (see [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups)). -Whether taken automatically or upon approval, remediation actions following an automated investigation include the following: +Whether taken automatically or upon approval, an automated investigation can result in one or more of the remediation actions: - Quarantine a file - Remove a registry key - Kill a process - Stop a service -- Remove a registry key - Disable a driver - Remove a scheduled task -### Automated investigation results and remediation actions +## Review pending actions -The following table summarizes remediation actions following an automated investigation, how device group settings affect whether actions are taken automatically or upon approval, and what to do in each case. +1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. +2. In the navigation pane, choose **Action center**. +3. Review the items on the **Pending** tab. +4. Select an action to open its flyout pane. +5. In the flyout pane, review the information, and then take one of the following steps: + - Select **Open investigation page** to view more details about the investigation. + - Select **Approve** to initiate a pending action. + - Select **Reject** to prevent a pending action from being taken. + - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md). + +## Review completed actions + +1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. +2. In the navigation pane, choose **Action center**. +3. Review the items on the **History** tab. +4. Select an item to view more details about that remediation action. + +## Undo completed actions + +If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions: + +| Action source | Supported Actions | +|:---|:---| +| - Automated investigation
        - Microsoft Defender Antivirus
        - Manual response actions | - Isolate device
        - Restrict code execution
        - Quarantine a file
        - Remove a registry key
        - Stop a service
        - Disable a driver
        - Remove a scheduled task | + +### To undo multiple actions at one time + +1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens. +3. In the flyout pane, select **Undo**. + +### To remove a file from quarantine across multiple devices + +1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in. +2. On the **History** tab, select an item that has the Action type **Quarantine file**. +3. In the flyout pane, select **Apply to X more instances of this file**, and then select **Undo**. + +## Automation levels, automated investigation results, and resulting actions + +Automation levels affect whether certain remediation actions are taken automatically or only upon approval. Sometimes your security operations team has more steps to take, depending on the results of an automated investigation. The following table summarizes automation levels, results of automated investigations, and what to do in each case. |Device group setting | Automated investigation results | What to do | |:---|:---|:---| -|**Full - remediate threats automatically** (this is the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.

        Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) | +|**Full - remediate threats automatically** (the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.

        Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) | |**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence.

        Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) | |**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence.

        Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) | |**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.

        If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.

        If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)

        2. [Review completed actions](#review-completed-actions) | @@ -68,39 +107,16 @@ The following table summarizes remediation actions following an automated invest |**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.

        If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.

        If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)

        2. [Review completed actions](#review-completed-actions) | |**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.

        Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) | |Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.

        No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) | -|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) | +|**No automated response** (not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) | -In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). +In Microsoft Defender for Endpoint, all verdicts are tracked in the [Action center](auto-investigation-action-center.md#new-a-unified-action-center). -> [!TIP] -> To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). - - -## Review pending actions - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard). - -2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. - -3. Review any items on the **Pending** tab. - -4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. - - Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. - -## Review completed actions - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard). - -2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. - -3. Select the **History** tab. (If need be, expand the time period to display more data.) - -4. Select an item to view more details about that remediation action. - ## Next steps -- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide) +- [Learn about live response capabilities](live-response.md) +- [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md) +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) -- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) +## See also +- [Overview of automated investigations](automated-investigations.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md index 0b5d31597f..48a1efeb78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md @@ -4,7 +4,7 @@ description: Enable content analysis and configure the file extension and email keywords: automation, file, uploads, content, analysis, file, extension, email, attachment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,23 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage automation file uploads [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index 29529c8847..11d49454fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -1,10 +1,10 @@ --- title: Manage automation folder exclusions -description: Add automation folder exclusions to control the files that are excluded from an automated investigation. +description: Add automation folder exclusions to control the files that are excluded from an automated investigation. keywords: manage, automation, exclusion, block, clean, malicious search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage automation folder exclusions @@ -23,13 +24,10 @@ ms.topic: article **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) Automation folder exclusions allow you to specify folders that the Automated investigation will skip. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 458c0798ce..d053e3cc3d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -1,11 +1,11 @@ --- title: Manage endpoint detection and response capabilities +description: Manage endpoint detection and response capabilities ms.reviewer: -description: keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,15 +15,21 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Manage endpoint detection and response capabilities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index f0cd8403c1..bb8890d383 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -1,10 +1,10 @@ --- title: Manage Microsoft Defender ATP incidents -description: Manage incidents by assigning it, updating its status, or setting its classification. +description: Manage incidents by assigning it, updating its status, or setting its classification. keywords: incidents, manage, assign, status, classification, true alert, false alert search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,18 +14,22 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- -# Manage Microsoft Defender ATP incidents +# Manage Microsoft Defender for Endpoint incidents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index d5186273e9..8f63f16b11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -1,11 +1,11 @@ --- title: Create indicators -ms.reviewer: +ms.reviewer: description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,30 +16,31 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to. -Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). +Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). **Cloud detection engine**
        -The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC. +The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC. **Endpoint prevention engine**
        -The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run. +The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run. **Automated investigation and remediation engine**
        The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad". @@ -64,5 +65,5 @@ You can create an indicator for: ## Related topics - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) -- [Use the Microsoft Defender ATP indicators API](ti-indicator.md) +- [Use the Microsoft Defender for Endpoint indicators API](ti-indicator.md) - [Use partner integrated solutions](partner-applications.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index d13aa975d2..a1e9db40c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -4,7 +4,7 @@ description: You might need to prevent alerts from appearing in the portal by us keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage suppression rules @@ -23,8 +24,11 @@ ms.topic: article **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index c3176ac54a..9f7564dcb1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -5,7 +5,7 @@ description: Learn about the management tools and API categories in Microsoft De keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,69 +14,71 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Overview of management and APIs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink) -Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. -Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements. +Defender for Endpoint supports a wide variety of options to ensure that customers can easily adopt the platform. + +Acknowledging that customer environments and structures can vary, Defender for Endpoint was created with flexibility and granular control to fit varying customer requirements. ## Endpoint onboarding and portal access -Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for devices management. +Device onboarding is fully integrated into Microsoft Endpoint Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management. -Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: +Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams - Tiered model security operations teams - Fully segregated divisions with single centralized global security operations teams ## Available APIs -The Microsoft Defender ATP solution is built on top of an integration-ready platform. +The Microsoft Defender for Endpoint solution is built on top of an integration-ready platform. -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. +Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. -![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png) +![Image of available API and integration in Microsoft Defender for Endpoint](images/mdatp-apis.png) -The Microsoft Defender ATP APIs can be grouped into three: -- Microsoft Defender ATP APIs +The Defender for Endpoint APIs can be grouped into three: +- Microsoft Defender for Endpoint APIs - Raw data streaming API - SIEM integration -## Microsoft Defender ATP APIs +## Microsoft Defender for Endpoint APIs -Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. +Defender for Endpoint offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. -Watch this video for a quick overview of Microsoft Defender ATP's APIs. +Watch this video for a quick overview of Defender for Endpoint's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] -The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md). +The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see [Supported APIs](exposed-apis-list.md). The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others. ## Raw data streaming API -Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. +Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. -The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. +The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. -For more information, see, [Raw data streaming API](raw-data-export.md). +For more information, see [Raw data streaming API](raw-data-export.md). ## SIEM API -When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see, [SIEM integration](enable-siem-integration.md) +When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see [SIEM integration](enable-siem-integration.md). ## Related topics -- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md) +- [Access the Microsoft Defender for Endpoint APIs ](apis-intro.md) - [Supported APIs](exposed-apis-list.md) - [Technical partner opportunities](partner-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md index e9fa0412b0..73a8f1bbb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md @@ -4,8 +4,8 @@ description: Make the switch from McAfee to Microsoft Defender for Endpoint. Rea keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,31 +15,41 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-mcafeemigrate -- m365solution-overview + - M365-security-compliance + - m365solution-mcafeemigrate + - m365solution-overview ms.topic: conceptual ms.custom: migrationguides -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- -# Migrate from McAfee to Microsoft Defender Advanced Threat Protection +# Migrate from McAfee to Microsoft Defender for Endpoint -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide. -If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration. +:::image type="content" source="images/mcafee-mde-migration.png" alt-text="Overview of migrating from McAfee to Defender for Endpoint"::: + +When you make the switch from McAfee to Defender for Endpoint, you begin with your McAfee solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove McAfee. ## The migration process -When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table: +When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases: Prepare, Setup, and Onboard. + +![Migration phases - prepare setup onboard](images/phase-diagrams/migration-phases.png) |Phase |Description | |--|--| -|[![Phase 1: Prepare](images/prepare.png)](mcafee-to-microsoft-defender-prepare.md)
        [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. | -|[![Phase 2: Set up](images/setup.png)](mcafee-to-microsoft-defender-setup.md)
        [Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| -|[![Phase 3: Onboard](images/onboard.png)](mcafee-to-microsoft-defender-onboard.md)
        [Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. | +|[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During the [**Prepare**](mcafee-to-microsoft-defender-prepare.md) phase, you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. | +|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During the [**Setup**](mcafee-to-microsoft-defender-setup.md) phase, you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| +|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During the [**Onboard**](mcafee-to-microsoft-defender-onboard.md) phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. | ## What's included in Microsoft Defender for Endpoint? diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md index d38a5977e8..4406338cb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md @@ -4,8 +4,8 @@ description: This is phase 3, Onboard, for migrating from McAfee to Microsoft De keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,12 +15,12 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-McAfeemigrate -- m365solution-scenario + - M365-security-compliance + - m365solution-McAfeemigrate + - m365solution-scenario ms.custom: migrationguides ms.topic: article -ms.date: 09/24/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- @@ -28,12 +28,17 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)
        [Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)
        Phase 3: Onboard | -|[![Phase 1: Prepare](images/prepare.png)](mcafee-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/setup.png)](mcafee-to-microsoft-defender-setup.md)
        [Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/onboard.png)
        Phase 3: Onboard | |--|--|--| || |*You are here!* | - **Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: 1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md index fe973d1a59..bf10e65074 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md @@ -4,8 +4,8 @@ description: This is phase 1, Prepare, for migrating from McAfee to Microsoft De keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,12 +15,12 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-mcafeemigrate -- m365solution-scenario + - M365-security-compliance + - m365solution-mcafeemigrate + - m365solution-scenario ms.topic: article ms.custom: migrationguides -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- @@ -28,8 +28,14 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -|![Phase 1: Prepare](images/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](mcafee-to-microsoft-defender-setup.md)
        [Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/onboard.png)](mcafee-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +|![Phase 1: Prepare](images/phase-diagrams/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)
        [Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | |--|--|--| |*You are here!*| | | @@ -44,7 +50,7 @@ This migration phase includes the following steps: ## Get and deploy updates across your organization's devices -As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus. +As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus. ### Make sure your McAfee solution is up to date @@ -72,24 +78,24 @@ Need help updating your organization's devices? See the following resources: ## Get Microsoft Defender for Endpoint -Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned. +Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned. 1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp). 2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). -3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). +3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). -4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). +4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). > [!NOTE] -> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal. +> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal. ## Grant access to the Microsoft Defender Security Center -The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). +The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. @@ -106,16 +112,16 @@ Permissions to the Microsoft Defender Security Center can be granted by using ei ## Configure device proxy and internet connectivity settings -To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities: +To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities: |Capabilities | Operating System | Resources | |--|--|--| -|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | -|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
        - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
        | -|Antivirus |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|Antivirus |Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
        - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
        | +|Antivirus |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) ## Next step diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 8813e53523..7dd1dd5614 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -4,8 +4,8 @@ description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defe keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,29 +15,35 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-mcafeemigrate -- m365solution-scenario + - M365-security-compliance + - m365solution-mcafeemigrate + - m365solution-scenario ms.topic: article ms.custom: migrationguides -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- # Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -|[![Phase 1: Prepare](images/prepare.png)](mcafee-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](mcafee-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | |--|--|--| ||*You are here!* | | -**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: +**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: 1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). 2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus). -3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee). +3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee). 4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus). 5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint). 6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). @@ -91,6 +97,12 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
        +> [!NOTE] +> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. +> Example:
        +> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
        +> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
        + 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
        `Get-Service -Name windefend` @@ -100,7 +112,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d ### Set Microsoft Defender Antivirus to passive mode on Windows Server -Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP. +Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
        `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. @@ -136,7 +148,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

        2. Type `sc query windefend`, and then press Enter.

        3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

        2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

        3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

        2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

        3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. @@ -162,8 +174,8 @@ The specific exclusions to configure depend on which version of Windows your end |OS |Exclusions | |--|--| -|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
        - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
        | -|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

        **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

        `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
        - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
        | +|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

        **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

        `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | ## Add McAfee to the exclusion list for Microsoft Defender Antivirus @@ -187,7 +199,7 @@ You can choose from several methods to add your exclusions to Microsoft Defender ## Add McAfee to the exclusion list for Microsoft Defender for Endpoint -To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). +To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 16dd867662..c12ba0d4e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -1,11 +1,11 @@ --- -title: Configure Microsoft Cloud App Security integration +title: Configure Microsoft Cloud App Security integration ms.reviewer: description: Learn how to turn on the settings to enable the Microsoft Defender ATP integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,37 +14,40 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Configure Microsoft Cloud App Security in Microsoft Defender ATP +# Configure Microsoft Cloud App Security in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. + +To benefit from Microsoft Defender for Endpoint cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. -> See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security. +> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender for Endpoint with Microsoft Cloud App Security. -## Enable Microsoft Cloud App Security in Microsoft Defender ATP +## Enable Microsoft Cloud App Security in Microsoft Defender for Endpoint 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. -Once activated, Microsoft Defender ATP will immediately start forwarding discovery signals to Cloud App Security. +Once activated, Microsoft Defender for Endpoint will immediately start forwarding discovery signals to Cloud App Security. ## View the data collected -To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). +To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/mde-integration#investigate-devices-in-cloud-app-security). For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index a23303c507..0bcd942eab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -5,7 +5,7 @@ description: Microsoft Defender Advanced Threat Protection (Microsoft Defender A keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,28 +14,33 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/18/2018 +ms.technology: mde --- -# Microsoft Cloud App Security in Microsoft Defender ATP overview +# Microsoft Cloud App Security in Defender for Endpoint overview [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [!include[Prerelease information](../../includes/prerelease.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security). >[!NOTE] >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later. -## Microsoft Defender ATP and Cloud App Security integration +## Microsoft Defender for Endpoint and Cloud App Security integration -Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. +Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender for Endpoint integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ] @@ -44,9 +49,9 @@ The integration provides the following major improvements to the existing Cloud - Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. -- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go. +- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Defender for Endpoint and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go. -- Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. +- Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index b37274b4cb..a949ca592e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender Advanced Threat Protection -description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats. -keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting +title: Microsoft Defender for Endpoint +description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats. +keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,25 +13,31 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender Advanced Threat Protection +# Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) > For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

        ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] +>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob] -Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: +Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. +- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint. - **Cloud security analytics**: Leveraging big-data, device-learning, and @@ -42,20 +48,19 @@ Microsoft Defender ATP uses the following combination of technology built into W - **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat - intelligence enables Microsoft Defender ATP to identify attacker + intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data. - -

        Microsoft Defender ATP

        +

        Microsoft Defender for Endpoint

        - - - - - - + + + + + + - + - - + - + - + @@ -169,15 +169,15 @@ To better help you protect your organization, we recommend turning on and using - + - + - + @@ -219,4 +219,3 @@ To better help you protect your organization, we recommend turning on and using - [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) - [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies) - diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 56d43dafc5..9b7c62b617 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,7 +2,7 @@ title: Microsoft Defender SmartScreen overview (Windows 10) description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.localizationpriority: high ms.date: 11/27/2019 ms.reviewer: manager: dansimp +ms.technology: mde --- # Microsoft Defender SmartScreen @@ -67,12 +68,12 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M ## Viewing Microsoft Defender SmartScreen anti-phishing events > [!NOTE] -> No Smartscreen events will be logged when using Microsoft Edge version 77 or later. +> No SmartScreen events will be logged when using Microsoft Edge version 77 or later. -When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). +When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). ## Viewing Windows event logs for Microsoft Defender SmartScreen -Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug login Event Viewer. +Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer. Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 728d759855..6b4f9fc6e2 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -2,7 +2,7 @@ title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10) description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 10/13/2017 ms.reviewer: manager: dansimp ms.author: macapara +ms.technology: mde --- # Set up and use Microsoft Defender SmartScreen on individual devices diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 3e5cd564fb..c792222c8a 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -4,12 +4,13 @@ ms.author: dansimp title: Override Process Mitigation Options (Windows 10) description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies. keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: dulcemontemayor ms.localizationpriority: medium +ms.technology: mde --- diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index eaef387dbf..3237437499 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -1,16 +1,17 @@ --- title: Mitigate threats by using Windows 10 security features (Windows 10) description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.date: 10/13/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Mitigate threats by using Windows 10 security features @@ -106,7 +107,7 @@ Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to impr For more information, see [Windows Defender in Windows 10](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://docs.microsoft.com/windows-server/security/windows-defender/windows-defender-overview-windows-server). -For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). +For information about Microsoft Defender for Endpoint, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). ### Data Execution Prevention @@ -445,14 +446,14 @@ Examples: #### EMET-related products -Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (ATP). +Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Microsoft Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Related topics - [Security and Assurance in Windows Server 2016](https://docs.microsoft.com/windows-server/security/security-and-assurance) -- [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -- [Microsoft Defender Advanced Threat Protection (ATP) - documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) +- [Microsoft Defender for Endpoint - resources](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Microsoft Defender for Endpoint - documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) - [Exchange Online Advanced Threat Protection Service Description](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) -- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection) +- [Microsoft Defender for Office 365](https://products.office.com/en-us/exchange/online-email-threat-protection) - [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx) diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 905bf8c06a..00e7c27ee7 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -6,13 +6,14 @@ ms.reviewer: manager: dansimp ms.author: dansimp keywords: security, BYOD, malware, device health attestation, mobile -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, devices author: dulcemontemayor ms.date: 10/13/2017 ms.localizationpriority: medium +ms.technology: mde --- # Control the health of Windows 10-based devices diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index e8dd6ab29f..18151f137c 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -2,7 +2,7 @@ title: Microsoft Security Compliance Toolkit 1.0 description: This article describes how to use the Security Compliance Toolkit in your organization keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/21/2019 ms.reviewer: +ms.technology: mde --- # Microsoft Security Compliance Toolkit 1.0 @@ -33,7 +34,6 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1607 (Anniversary Update) - Windows 10 Version 1507 @@ -46,7 +46,10 @@ The Security Compliance Toolkit consists of: - Microsoft 365 Apps for enterprise (Sept 2019) - Microsoft Edge security baseline - - Version 85 + - Version 88 + +- Windows Update security baseline + - Windows 10 20H2 and below (October 2020 Update) - Tools - Policy Analyzer tool diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 073cfbd4cb..152f6711fe 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -4,7 +4,7 @@ description: Describes best practices, security considerations, and more for the ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Access Credential Manager as a trusted caller diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index 06d067f006..d20934b1f3 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Access this computer from the network - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 4394099acc..4df87c418a 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Account lockout duration diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index 852449d7ce..26ba3362f0 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -4,7 +4,7 @@ description: Describes the Account Lockout Policy settings and links to informat ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/11/2018 +ms.technology: mde --- # Account Lockout Policy diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index d9c2770ad4..d7dacae92e 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/02/2018 +ms.technology: mde --- # Account lockout threshold diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index f740ced849..42f0509874 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -4,7 +4,7 @@ description: An overview of account policies in Windows and provides links to po ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Account Policies diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 242f47b39f..983c8abe93 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/01/2017 +ms.technology: mde --- # Accounts: Administrator account status diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index 44ba58b22d..999953b0f6 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, management, and sec ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/10/2017 +ms.technology: mde --- # Accounts: Block Microsoft accounts diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 0677dbe5ed..1828f74f0d 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Guest account status - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 429a6e932a..88adc7aa01 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -4,7 +4,7 @@ description: Learn best practices, security considerations, and more for the pol ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Limit local account use of blank passwords to console logon only diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index 416c761dd9..1bf1c8e328 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -4,7 +4,7 @@ description: This security policy reference topic for the IT professional descri ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Rename administrator account diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index 4e136d6fc7..5694b75065 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Rename guest account - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index b32355b82a..dfd593bde8 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Act as part of the operating system diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index e961da2395..c2cfbb9858 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management a ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Add workstations to domain diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md index fc90fa5e4b..154ecd7c75 100644 --- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md +++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Adjust memory quotas for a process diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 378bc21d36..0e4d3680f2 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -4,7 +4,7 @@ description: This article discusses different methods to administer security pol ms.assetid: 7617d885-9d28-437a-9371-171197407599 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Administer security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index ee0f5f1b86..3bb3d64326 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Allow log on locally - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 518c760a7e..044f3c2fe5 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Allow log on through Remote Desktop Services diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index ef5a46869a..4015f85f3f 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit: Audit the access of global system objects diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 4c8003e0f3..3c398b2262 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -4,7 +4,7 @@ description: "Describes the best practices, location, values, and security consi ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/01/2019 +ms.technology: mde --- # Audit: Audit the use of Backup and Restore privilege diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index 023e1eac23..3c64ae947a 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -4,7 +4,7 @@ description: Learn more about the security policy setting, Audit Force audit pol ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md index 01e76f7782..351b357bb8 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-policy.md +++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md @@ -4,7 +4,7 @@ description: Provides information about basic audit policies that are available ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit Policy diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index e9e6d09cf2..6b2a642f91 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit: Shut down system immediately if unable to log security audits diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index a431f30baf..67a1efe7b8 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -4,7 +4,7 @@ description: Describes the recommended practices, location, values, policy manag ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Back up files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index af394cc02a..b82df05bd9 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Bypass traverse checking diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index 3729af5440..611c4f29c6 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Change the system time - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md index 21918a8f75..f9251b7542 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Change the time zone - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index 55281194fb..eaca0ecfbb 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a pagefile - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index 2aab29e91a..52fb6a0e53 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a token object diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index 6093dfc046..c29a2716ee 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create global objects diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md index 99d3c81d18..33b84b4ddd 100644 --- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create permanent shared objects diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index 696c309ef6..70f390d16a 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create symbolic links diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index dbef4f23b0..8b5c1ba80d 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the syntax policy setting, ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 1e3fb1aac8..46bcee01d5 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, DCOM Machi ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index 8e9e1de135..ee678fa038 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Debug programs diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index c7de16a3ed..426bbb78d9 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny access to this computer from the network diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 3705d5c84b..33371b5594 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on as a batch job diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index ae1ff7ad09..e93b14011b 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f1114964-df86-4278-9b11-e35c66949794 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on as a service diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index c29d301d15..16aac6c38f 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on locally diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index 5ba0488e44..e618426e9d 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on through Remote Desktop Services diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index b9c5b91f0b..1c8ec83ad6 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Allow undock without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index 63a755d174..4a2d451bd1 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Allowed to format and eject removable media diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 6b2c51d931..15e9f97f5d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Prevent users from installing printer drivers diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 45bae7d793..14b745deaf 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Restrict CD-ROM access to locally logged-on user only diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index f0de6a47fe..0b64be01ad 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 92997910-da95-4c03-ae6f-832915423898 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Restrict floppy access to locally logged-on user only diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index 42e3ec17e1..6708f52037 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain controller: Allow server operators to schedule tasks diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 933e46f0a1..ba471b4b00 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain controller: LDAP server signing requirements diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index 0115f58fc6..7a2193fd9c 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain controller: Refuse machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index 065ea3434c..9c02ea6441 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Digitally encrypt or sign secure channel data (always) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 0540ffa16a..cc788fbe2b 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Digitally encrypt secure channel data (when possible) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index e0127d72d7..5d0ee13652 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Digitally sign secure channel data (when possible) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index af37ad2e44..16e25c74bf 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/27/2019 +ms.technology: mde --- # Domain member: Disable machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index 1c74391497..ff2d29cc14 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/29/2020 +ms.technology: mde --- # Domain member: Maximum machine account password age diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 9660f69829..544c028497 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Require strong (Windows 2000 or later) session key diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index 1968ce5913..cd3439ae58 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Enable computer and user accounts to be trusted for delegation diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index 43ed37c3fc..796779c714 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Enforce password history diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index ac0af26a19..71615ceabb 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Enforce user logon restrictions diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index fb56241385..e6585a09a3 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Force shutdown from a remote system diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md index d6a7cf2241..40e5ca7ef1 100644 --- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Generate security audits diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 3f70c13716..7ad1fc41a6 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -4,8 +4,7 @@ description: Describes steps to configure a security policy setting on the local ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320 ms.reviewer: ms.author: dansimp - -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Configure security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 1d241529ee..4ccb66701d 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Impersonate a client after authentication @@ -105,6 +106,8 @@ On member servers, ensure that only the Administrators and Service groups (Local In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*<ComputerName>*, IIS\_WPG, ASP.NET, or IWAM\_*<ComputerName>*. +In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. For more details, see [Default permissions and user rights for IIS 7.0 and later](https://docs.microsoft.com/troubleshoot/iis/default-permissions-user-rights). + ## Related topics - [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index 1225e25cd9..4473a058bb 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Increase a process working set diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 5d4835f444..1cd8ae7179 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 2/6/2020 +ms.technology: mde --- # Increase scheduling priority diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index c9e784c755..eb88a41772 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Display user information when the session is locked diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index dbb2b2c45b..dc34342e33 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -1,7 +1,7 @@ --- title: Interactive logon Don't display last signed-in (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.topic: conceptual ms.date: 04/19/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Interactive logon: Don't display last signed-in diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 47257f0e50..e209f6f824 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Do not require CTRL+ALT+DEL diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index 84ae5e963d..dc75f23f03 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -2,9 +2,9 @@ title: Interactive logon Don't display username at sign-in (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd -ms.reviewer: +ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Don't display username at sign-in diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index 384e9959b1..ea490bea9a 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -4,7 +4,7 @@ description: Best practices, location, values, management, and security consider ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Machine account lockout threshold diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 07e009dc0e..b42c080ea0 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, management, and sec ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/18/2018 +ms.technology: mde --- # Interactive logon: Machine inactivity limit diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 61a261c4bd..554fcc6d63 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Message text for users attempting to log on diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index bf4611c235..3f2be2aad0 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Message title for users attempting to log on diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index ebfbd65b83..f1248b1825 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, Interactiv ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/27/2018 +ms.technology: mde --- # Interactive logon: Number of previous logons to cache (in case domain controller is not available) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index b98d74a6bb..0eada407ca 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -1,10 +1,10 @@ --- -title: Interactive log-on prompt user to change password before expiration (Windows 10) +title: Interactive log-on prompt user to change password before expiration (Windows 10) description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive log on: Prompt the user to change passwords before expiration diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 216de3c43e..e08474cde8 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -4,7 +4,7 @@ description: Best practices security considerations, and more for the policy set ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Require Domain Controller authentication to unlock workstation diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index 33b628cb5e..1235ce1f89 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Require smart card - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index 3c4204523c..822699cbe5 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Smart card removal behavior diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index b99dec5d92..4dde3dafa0 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -4,7 +4,7 @@ description: Describes the Kerberos Policy settings and provides links to policy ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Kerberos Policy diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index d80474a5ab..ece23d6a1b 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 66262532-c610-470c-9792-35ff4389430f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Load and unload device drivers diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index 9c53d5bb73..9f512271e5 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Lock pages in memory diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index 7ad5326697..e4997ab361 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Log on as a batch job diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md index 7539cb89c0..a170ea805c 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Log on as a service diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index cec2f34a4c..057b9c3219 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Manage auditing and security log diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index 2ba4e7f98c..4c5b767250 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum lifetime for service ticket diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index d4fc263448..4298be4ed3 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum lifetime for user ticket renewal diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index 46cd7ecb25..c9f03e275f 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum lifetime for user ticket diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index 2e2b5f172a..18d09c4627 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum password age @@ -39,6 +40,9 @@ The **Maximum password age** policy setting determines the period of time (in da Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources. +> [!NOTE] +> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Azure AD Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect. + ### Location **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index 880ce8d6ab..98e58336ac 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum tolerance for computer clock synchronization diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index 457ba6494f..f2c0e59130 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -5,13 +5,14 @@ ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 06/28/2018 +ms.technology: mde --- # Microsoft network client: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 0eb20f0245..3fca806b68 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 7bfb786b1e..df04135ddb 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Amount of idle time required before suspending session diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 473585fba5..bf80e3d066 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -4,7 +4,7 @@ description: Learn about the security policy setting, Microsoft network server A ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Attempt S4U2Self to obtain claim information diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index 2e7b8cc704..aa8327994b 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/21/2018 +ms.technology: mde --- # Microsoft network server: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index d763e077ca..c63ba1fa9c 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Disconnect clients when logon hours expire diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md index f45ef84792..934085e4f4 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Server SPN target name validation level diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 9995735537..177a7d0222 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -5,13 +5,14 @@ ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 11/13/2018 +ms.technology: mde --- # Minimum password age diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index ae21ed863f..c14de4b2fc 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Minimum password length diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index 9775374e5e..baa5e9c04b 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Modify an object label diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md index 7ad95e9f59..5022db6039 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md +++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Modify firmware environment values diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index 0b21eb13c9..b78e43e706 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Allow anonymous SID/Name translation diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index b679530985..23a4d0c815 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Do not allow anonymous enumeration of SAM accounts and shares diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index e957638eb9..3243d8261b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Do not allow anonymous enumeration of SAM accounts diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 3668aaef4c..b22b8e05fe 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Do not allow storage of passwords and credentials for network authentication diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 6ea98c4a06..816f4d78b1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Let Everyone permissions apply to anonymous users diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md index ca8b104079..bb01d6c117 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -4,7 +4,7 @@ description: Describes best practices, security considerations and more for the ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Named Pipes that can be accessed anonymously diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md index a221329ce9..078753c170 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -4,7 +4,7 @@ description: Describes best practices, location, values, and security considerat ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Remotely accessible registry paths and subpaths diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md index 62e028051b..ab9370f9dd 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Remotely accessible registry paths diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 7f2010f35f..9fea7c3077 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Restrict anonymous access to Named Pipes and Shares diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index c93ec93b11..fdcc0c6faf 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -1,7 +1,7 @@ --- title: Network access - Restrict clients allowed to make remote calls to SAM description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -11,6 +11,7 @@ ms.date: 09/17/2018 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Network access: Restrict clients allowed to make remote calls to SAM diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index 1fbdd1c98d..125d609e61 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations, and more for t ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Shares that can be accessed anonymously diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index 8ae8bcfd3d..359010211d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Sharing and security model for local accounts diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md index 4ac7af5f3c..69ecb0c119 100644 --- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md +++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md @@ -4,7 +4,7 @@ description: Network List Manager policies are security settings that configure ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network List Manager policies diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 4d792d0457..40a53c2736 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -4,7 +4,7 @@ description: Location, values, policy management, and security considerations fo ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Allow Local System to use computer identity for NTLM diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index 2a4db2ba09..3f67d9dfbf 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Allow LocalSystem NULL session fallback diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 14f67ae3d2..716b1da171 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -4,7 +4,7 @@ description: Best practices for the Network Security Allow PKU2U authentication ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Allow PKU2U authentication requests to this computer to use online identities diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 51a84cfb6f..d6813adc8f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -4,7 +4,7 @@ description: Best practices, location, values and security considerations for th ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Configure encryption types allowed for Kerberos diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 32ad4fc2b7..23140d7b81 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Do not store LAN Manager hash value on next password change diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index 9abafe6715..d82ba2d356 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Force logoff when logon hours expire diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index 8cf1d1ef2a..90ab68bf7a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: LAN Manager authentication level diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 2e91b3b1b6..deb400f637 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: LDAP client signing requirements diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 5a6ed1a602..7da3832813 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, Network se ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/27/2017 +ms.technology: mde --- # Network security: Minimum session security for NTLM SSP based (including secure RPC) clients diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index aa05ac30a3..fd5bcf7731 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -4,7 +4,7 @@ description: Best practices and security considerations for the policy setting, ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Minimum session security for NTLM SSP based (including secure RPC) servers diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index f45e969f85..4f61542115 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 190741c9b6..ad33075c6d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Add server exceptions in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 573acd03e5..466fe77336 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Audit incoming NTLM traffic diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 872e3aaf36..595f2d660a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Audit NTLM authentication in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 2b0c20bc29..1c4ca789c3 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Incoming NTLM traffic diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index a88bb90887..947f4ab587 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: NTLM authentication in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 582a95f107..1a547615d6 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 54140d60f7..c40865f9da 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Password must meet complexity requirements @@ -27,10 +28,10 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "grin" or "hagens" as a substring anywhere in the password. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index 4e9a967608..d0a560e42b 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -4,7 +4,7 @@ description: An overview of password policies for Windows and links to informati ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Password Policy diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index 185ef547a9..44ce6c881a 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Perform volume maintenance tasks diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 3ea61190ff..fc3af3e372 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Profile single process diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index c39e1de1d2..37a46be943 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Profile system performance diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index ac9b2c0104..8d560cc318 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Recovery console: Allow automatic administrative logon diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 0fb4445f92..2d90c0a80f 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Recovery console: Allow floppy copy and access to all drives and folders diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index a19803baed..099396d96b 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Remove computer from docking station - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md index 6b6b9fbf97..497b00f4d5 100644 --- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md +++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Replace a process level token diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index d4c0f55aa6..7dd3bc674f 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/02/2018 +ms.technology: mde --- # Reset account lockout counter after diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md index edb41ef508..56932252a4 100644 --- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Restore files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md index 5836257990..58e86eb700 100644 --- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: Provides information about the advanced security audit policy setti ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security audit policy settings diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index 46dbab8860..b31d7a38cd 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -5,13 +5,14 @@ ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 06/28/2018 +ms.technology: mde --- # Security Options diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index a129a83f56..690b97fddb 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -4,7 +4,7 @@ description: This reference of security settings provides information about how ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Security policy settings reference diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index a8bd08c42d..1e283c3673 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -4,7 +4,7 @@ description: This reference topic describes the common scenarios, architecture, ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index 368f3b722b..1b5d5a161d 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Shut down the system - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index 49cf09a6db..5f9aec2590 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Shutdown: Allow system to be shut down without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index b3e5bb9c6c..b556412de2 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management a ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/01/2017 +ms.technology: mde --- # Shutdown: Clear virtual memory pagefile diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index a8d2183e51..996a278b07 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMBv1 Microsoft network client: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 47483249d7..6b4331de2f 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index dffc41d41d..0c427716aa 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMB v1 Microsoft network server: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 45e242b7fc..032bb6d057 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index 8541cc65f4..fa3693209f 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Store passwords using reversible encryption diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 576180c4a9..04d2c905ec 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Synchronize directory service data diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index fd0f6851b0..0ab38e9139 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System cryptography: Force strong key protection for user keys stored on the computer diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index b3c9f04138..9994949948 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/16/2018 +ms.technology: mde --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index f2b1daed5b..7d3fdb17cd 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System objects: Require case insensitivity for non-Windows subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 7e622b901f..731ff816b1 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, System obj ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index af6a91841d..05dc5f7a16 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System settings: Optional subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index d261330b49..85d1c3a9c8 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, System set ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System settings: Use certificate rules on Windows executables for Software Restriction Policies diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index be428efa89..45985b786a 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Take ownership of files or other objects diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index c55c11df6a..3a71b45166 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2017 +ms.technology: mde --- # User Account Control: Admin Approval Mode for the Built-in Administrator account diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 6c3bb8ace6..09f6411652 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -4,7 +4,7 @@ description: Best practices and more for the policy setting, User Account Contro ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 5b6f5b139e..82939414e0 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, User Accou ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2017 +ms.technology: mde --- # User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 659b235720..de0490479f 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations, and more for t ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Behavior of the elevation prompt for standard users diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 2fd36ac32f..be33709e17 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Detect application installations and prompt for elevation diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 014e882384..62665872ff 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 64950a95-6985-4db6-9905-1db18557352d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Only elevate executables that are signed and validated diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index e9d0d85e91..06e3831a67 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the policy setting, User Ac ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Only elevate UIAccess applications that are installed in secure locations diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index fb06a1c928..da3fbca962 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Run all administrators in Admin Approval Mode diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 8d3f8b2d1b..6b34c92be1 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Switch to the secure desktop when prompting for elevation diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index 8fb6f6ead6..e8bf2f6497 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the policy set ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Virtualize file and registry write failures to per-user locations diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 03d0a20cf4..5efa422cb9 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -4,7 +4,7 @@ description: Provides an overview and links to information about the User Rights ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Rights Assignment @@ -69,6 +70,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| @@ -78,6 +80,7 @@ The following table links to each security policy setting and provides the const | [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| | [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| | [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege| + ## Related topics diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 58051a41aa..142ab09ad4 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -5,13 +5,14 @@ ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dulcemontemayor ms.date: 02/28/2019 ms.localizationpriority: medium +ms.technology: mde --- # Use Windows Event Forwarding to help with intrusion detection @@ -40,7 +41,7 @@ Here's an approximate scaling guide for WEF events: | 5,000 - 50,000 | SEM | | 50,000+ | Hadoop/HDInsight/Data Lake | -Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. +Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). @@ -146,7 +147,7 @@ Yes. If you desire a High-Availability environment, simply configure multiple WE ### What are the WEC server’s limitations? -There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume. +There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions. - **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. - **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. @@ -660,4 +661,3 @@ You can get more info with the following links: - [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) - [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625) - diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index 5ce47adcb7..2e7e17d540 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -6,13 +6,14 @@ ms.reviewer: manager: dansimp ms.author: dansimp keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, mobile ms.localizationpriority: medium author: dulcemontemayor ms.date: 10/13/2017 +ms.technology: mde --- # Windows 10 Mobile security guide diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 7ec755da77..9a6947372a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -1,9 +1,9 @@ --- title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10) description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 10/30/2019 +ms.technology: mde --- # Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 79c0d8087a..81a97e652b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,6 +21,12 @@ ##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) ##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) ##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md) +##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +#### [Using the WDAC Wizard tool](wdac-wizard.md) +##### [Create a base WDAC policy with the Wizard](wdac-wizard-create-base-policy.md) +##### [Create a supplemental WDAC policy with the Wizard](wdac-wizard-create-supplemental-policy.md) +##### [Editing a WDAC policy with the Wizard](wdac-wizard-editing-policy.md) +##### [Merging multiple WDAC policies with the Wizard](wdac-wizard-merging-policies.md) ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index fd016ed909..1a451b7545 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -1,9 +1,9 @@ --- title: Allow COM object registration in a WDAC policy (Windows 10) description: You can allow COM object registration in a Windows Defender Application Control policy. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/21/2019 +ms.technology: mde --- # Allow COM object registration in a Windows Defender Application Control policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index f762644195..aafd72be3d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to update your existi ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Add rules for packaged apps to existing AppLocker rule-set diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 8730c6c545..28e35129ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -4,7 +4,7 @@ description: This topic for IT professionals provides links to specific procedur ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/28/2019 +ms.technology: mde --- # Administer AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index f7a0f16873..04a1ea12ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -4,7 +4,7 @@ description: This topic for IT professional describes AppLocker’s basic archit ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker architecture and components diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index 277bc78753..3e9ab04bfc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -4,7 +4,7 @@ description: This article for the IT professional lists the functions and securi ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker functions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index b7d7885b7f..b7dcbcddd8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -4,7 +4,7 @@ description: This topic provides a description of AppLocker and can help you dec ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/16/2017 +ms.technology: mde --- # AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index e92450d695..60bc44e368 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -4,7 +4,7 @@ description: This topic for IT professionals introduces the concepts and describ ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index d723d9a054..960362fe53 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -4,7 +4,7 @@ description: This topic for the IT professional introduces the design and planni ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker design guide diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 3e660d6659..897753b906 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists the various application co ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker policy use scenarios diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index de1860a1a6..0ffdf6a6e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the process dependenci ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker processes and interactions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index f289a40fe7..56d2fcb24d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists the settings used by AppLo ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker settings diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index 031ce25230..db60e0f7bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -4,7 +4,7 @@ description: This overview topic for IT professionals provides links to the topi ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker technical reference diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 2dd978d52b..8995d1c8cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to set AppLocker poli ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/08/2018 +ms.technology: mde --- # Configure an AppLocker policy for audit only diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index 36cce5baec..1f3d8928cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to enable the A ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Configure an AppLocker policy for enforce rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index dfb7c8814a..fea958441d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to specify whic ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Add exceptions for an AppLocker rule diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index a3a2d593bb..9b81e3d6fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the steps to create an ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Configure the AppLocker reference device diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 488a8cc411..610728b4d6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -5,7 +5,7 @@ ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561 ms.reviewer: ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/02/2018 +ms.technology: mde --- # Configure the Application Identity service diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index 619e173000..e7c76c7e98 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -4,7 +4,7 @@ description: This article for IT professionals shows how to create an AppLocker ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule for packaged apps diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index f7689c76f7..c68870383e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -4,7 +4,7 @@ description: This topic for IT professionals shows how to create an AppLocker ru ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule that uses a file hash condition diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 728693dc35..fd4ebfd86a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -4,7 +4,7 @@ description: This topic for IT professionals shows how to create an AppLocker ru ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule that uses a path condition diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 5a875b4b84..f7f9061767 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -4,7 +4,7 @@ description: This topic for IT professionals shows how to create an AppLocker ru ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule that uses a publisher condition diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 4bf66b9c31..8e818f8d12 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to create a sta ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create AppLocker default rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 24ab242eb1..9d57825f8a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -4,7 +4,7 @@ description: This topic describes the process of gathering app usage requirement ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a list of apps deployed to each business group diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index 4cb2f24434..d0a53377ec 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -4,7 +4,7 @@ description: This overview topic for the IT professional describes the steps to ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create Your AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 6d75ecfc99..dd866880d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes what you need to know ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create Your AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index a63318645f..80c31abf85 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -4,7 +4,7 @@ description: This article for IT professionals describes the steps to delete an ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/09/2020 +ms.technology: mde --- # Delete an AppLocker rule diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 65374479fc..bd480092c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to deploy AppLo ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Deploy AppLocker policies by using the enforce rules setting diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 058e736230..64f60860f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the tasks that should ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Deploy the AppLocker policy into production diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index e03376d487..fdeb9db2dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -4,7 +4,7 @@ description: This overview topic describes the process to follow when you are pl ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Determine the Group Policy structure and rule enforcement diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 099c30bac7..a0770cfdb3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes how to use AppLocker l ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Determine which apps are digitally signed on a reference device diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index dd86101ae7..516f7eaff2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -4,7 +4,7 @@ description: Determine which applications to control and how to control them by ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Determine your application control objectives diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index f87c93e451..4f89790b1c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -5,7 +5,7 @@ ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85 ms.reviewer: ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Display a custom URL message when users try to run a blocked app diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index be5c338598..aec41fda97 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # DLL rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 0e40237b7b..7c80353023 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -4,7 +4,7 @@ description: This planning topic describes what you need to investigate, determi ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.pagetype: security ms.date: 09/21/2017 +ms.technology: mde --- # Document the Group Policy structure and AppLocker rule enforcement diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index c43cf96fee..64318e0bd7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -4,7 +4,7 @@ description: This planning topic describes the app information that you should d ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Document your app list diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 9f6e032b66..1000876fbf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -4,7 +4,7 @@ description: Learn how to document your AppLocker rules and associate rule condi ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Document your AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 03b04a1190..9865b4a5d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps required to mod ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Edit an AppLocker policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index 028a8237bc..9fba4220b8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to edit a publi ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Edit AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index 575de45499..33f8fc5205 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to enable the D ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Enable the DLL rule collection diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index b396db1cfb..977c71d0cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to enforce applicatio ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Enforce AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index ffdc7ace8c..13e0194acf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Executable rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 0443b67c6b..6f17980018 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to export an Ap ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Export an AppLocker policy from a GPO diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index 6856386f4a..a2c2fda488 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to export an Ap ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Export an AppLocker policy to an XML file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index b4adeb4b33..6e4827d32a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -4,7 +4,7 @@ description: This topic for the IT professional provides links to topics about A ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # How AppLocker works diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index eaa7c7aa78..572410407e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to import an AppLocke ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Import an AppLocker policy from another computer diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index ac5ac53cd5..10cdc3f2c5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to import an Ap ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Import an AppLocker policy into a GPO diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 3e7f0169c7..67545f9094 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -4,7 +4,7 @@ description: Learn how to maintain rules within AppLocker policies. View common ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Maintain AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index e33dc7ed87..fc27d49a00 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -4,7 +4,7 @@ description: Learn concepts and lists procedures to help you manage packaged app ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Manage packaged apps with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 47c7db9884..ffe44d7fae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to merge AppLoc ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Merge AppLocker policies by using Set-ApplockerPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index f40ead0fc0..7567707461 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to manually mer ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Merge AppLocker policies manually diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index d0aa573b21..56d201be4e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to monitor app usage ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Monitor app usage with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index d669f7c890..e050d78690 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to optimize AppLocker ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Optimize AppLocker performance diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 1057121e64..5889dda71b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker rule collection for packaged app ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/13/2017 +ms.technology: mde --- # Packaged apps and packaged app installer rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 35e51ee350..7bdb71f127 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -4,7 +4,7 @@ description: This topic for describes the decisions you need to make to establis ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Plan for AppLocker policy management diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index 9e6a10f475..462a865a4f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to force an upd ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Refresh an AppLocker policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 1d132ac242..acabab7d69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -4,7 +4,7 @@ description: This deployment topic for the IT professional lists the requirement ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Requirements for deploying AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 42347224a4..0b4fd786bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists software requirements to u ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Requirements to use AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index a87df1bc69..da19e309e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes steps to run the wizard t ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Run the Automatically Generate Rules wizard diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 1854e961d1..db4968297c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Script rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 02e8dd5393..92928f7068 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the security considera ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Security considerations for AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 4daacad66d..174e5d8a77 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -4,7 +4,7 @@ description: This topic lists resources you can use when selecting your applicat ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Select the types of rules to create diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index 00511d0f23..fd78e7c563 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to test an AppL ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Test an AppLocker policy by using Test-AppLockerPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 6306c10479..2027085b0e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -4,7 +4,7 @@ description: This topic discusses the steps required to test an AppLocker policy ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Test and update an AppLocker policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 974a0000cc..51d801a909 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the tools available to ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Tools to use with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 0cd67f03d8..cbd1b7c62e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -4,7 +4,7 @@ description: This topic describes the AppLocker enforcement settings for rule co ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understand AppLocker enforcement settings diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index a8bfeff845..95dcad5fe6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -4,7 +4,7 @@ description: Review some common considerations while you are planning to use App ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/13/2017 +ms.technology: mde --- # Understand AppLocker policy design decisions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index ce6f6d4292..5350f5c843 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes how application contro ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understand AppLocker rules and enforcement setting inheritance in Group Policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 5e0c80b55d..0f909bdf3d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -4,7 +4,7 @@ description: This planning and deployment topic for the IT professional describe ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understand the AppLocker policy deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index f9cdae7831..941aa4f30d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -4,7 +4,7 @@ description: This topic explains the differences between allow and deny actions ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker allow and deny actions on rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 02228d1867..e9e449b52e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professional describes the set of rules that can ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker default rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index cbb7806a6b..041eee8f69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -4,7 +4,7 @@ description: This topic describes how AppLocker rules are enforced by using the ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule behavior diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index 0392b51405..319c895fd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -4,7 +4,7 @@ description: This topic explains the five different types of AppLocker rules use ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule collections diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index 44c123c7a2..8dfb91c58e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the three types of App ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule condition types diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 9420c1f20f..eb3084b691 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -4,7 +4,7 @@ description: This topic describes the result of applying AppLocker rule exceptio ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule exceptions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index b0e028c79d..7a8bfc63d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker file hash rule condition, the adv ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding the file hash rule condition in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 95863340c0..057a3dabde 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker path rule condition, the advantag ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding the path rule condition in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 73bd0d992a..8636e3b8dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker publisher rule condition, what co ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding the publisher rule condition in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index f051177f0c..72eea2c6c1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -1,9 +1,9 @@ --- -title: "Use a reference device to create and maintain AppLocker policies (Windows 10)" +title: Use a reference device to create and maintain AppLocker policies (Windows 10) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.reviewer: +ms.technology: mde --- # Use a reference device to create and maintain AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 4e49ccf26f..b6018803fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes concepts and procedures t ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Use AppLocker and Software Restriction Policies in the same domain diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 58edb0059e..65ade4ae02 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how each AppLocker Window ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Use the AppLocker Windows PowerShell cmdlets diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 78c04357c6..7895373d6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -4,7 +4,7 @@ description: This topic lists AppLocker events and describes how to use Event Vi ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Using Event Viewer with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 1dd5197ddd..5e34495965 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes how to use Software Re ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Use Software Restriction Policies and AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index eab62e36b7..5e8f5b2efb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes what AppLocker is and ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # What Is AppLocker? diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 50fff5a7b2..77b78c5a84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Windows Installer rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 2bde016bc2..276960c4b0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -4,7 +4,7 @@ description: This topic for IT professionals provides links to procedural topics ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Working with AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 1b92efcccf..67910704f3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -5,14 +5,15 @@ ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 ms.reviewer: manager: dansimp ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: mjcaparas +author: dansimp ms.localizationpriority: medium msauthor: v-anbic ms.date: 08/27/2018 +ms.technology: mde --- # Working with AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index c5f703e0aa..c35dfc5108 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Audit Windows Defender Application Control policies (Windows 10) description: Audits allow admins to discover apps that were missed during an initial policy scan and to identify new apps that were installed since the policy was created. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Audit Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index b7f98f9949..91186d9798 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -1,9 +1,9 @@ --- title: Configure a WDAC managed installer (Windows 10) description: Explains how to configure a custom Manged Installer. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 08/14/2020 +ms.technology: mde --- # Configuring a managed installer with AppLocker and Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index da15b10af4..f3b993cbc0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,9 +1,9 @@ --- title: Create a code signing cert for Windows Defender Application Control (Windows 10) description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/28/2018 +ms.technology: mde --- # Optional: Create a code signing cert for Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index d755422a84..37cb5bd513 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,9 +1,9 @@ --- title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10) description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Create a WDAC policy for fixed-workload devices using a reference computer diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 8b4a0fa4ff..bec0d684e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -1,10 +1,10 @@ --- title: Create a WDAC policy for fully-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. -keywords: security, malware +keywords: security, malware ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/20/2019 +ms.technology: mde --- # Create a WDAC policy for fully-managed devices diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 89cecfc78b..85a6d9cfdc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -1,10 +1,10 @@ --- title: Create a WDAC policy for lightly-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. -keywords: security, malware +keywords: security, malware ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/15/2019 +ms.technology: mde --- # Create a WDAC policy for lightly-managed devices diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 3abf426167..9dd3b2efa3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -1,9 +1,9 @@ --- title: Deploy catalog files to support Windows Defender Application Control (Windows 10) description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/28/2018 +ms.technology: mde --- # Deploy catalog files to support Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index bf44f8cd81..d52c5a2d88 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Use multiple Windows Defender Application Control Policies (Windows 10) description: Windows Defender Application Control supports multiple code integrity policies for one device. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +14,8 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 09/16/2020 +ms.date: 11/13/2020 +ms.technology: mde --- # Use multiple Windows Defender Application Control Policies @@ -27,7 +28,7 @@ ms.date: 09/16/2020 The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: 1. Enforce and Audit Side-by-Side - - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy + - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy 2. Multiple Base Policies - Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent - If two base policies exist on a device, an application has to be allowed by both to run @@ -48,19 +49,19 @@ The restriction of only having a single code integrity policy active on a system ## Creating WDAC policies in Multiple Policy Format -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash ``` -Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). +Optionally, you can choose to make the new base policy allow for supplemental policies. ```powershell Set-RuleOption -FilePath -Option 17 ``` -For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers. +For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers. ```powershell Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [] @@ -77,7 +78,8 @@ In order to create a supplemental policy, begin by creating a new policy in the Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] [] ``` -Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. +> [!NOTE] +> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. ### Merging policies @@ -85,19 +87,21 @@ When merging, the policy type and ID of the leftmost/first policy specified is u ## Deploying multiple policies -In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature. You cannot use the "Deploy Windows Defender Application Control" group policy setting to deploy multiple CI policies. +In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature. ### Deploying multiple policies locally -In order to deploy policies locally using the new multiple policy format you will need to: +To deploy policies locally using the new multiple policy format, follow these steps: -1. Ensure policies are copied to the right location - - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active -2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip - - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy - - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip -3. Reboot the system +1. Ensure binary policy files have the correct naming format of `{PolicyGUID}.cip`. + - Ensure that the name of the binary policy file is exactly the same as the PolicyID GUID in the policy + - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}`, then the correct name for the binary policy file would be `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip`. +2. Copy binary policies to `C:\Windows\System32\CodeIntegrity\CiPolicies\Active`. +3. Reboot the system. ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. + +> [!NOTE] +> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 9151364753..4246d0b428 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -1,9 +1,9 @@ --- title: Deploy WDAC policies via Group Policy (Windows 10) description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/28/2018 +ms.technology: mde --- # Deploy Windows Defender Application Control policies by using Group Policy diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 651222522b..d44af33f24 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,9 +1,9 @@ --- title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) description: You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 04/29/2020 +ms.technology: mde --- # Deploy Windows Defender Application Control policies by using Microsoft Intune @@ -22,11 +23,8 @@ ms.date: 04/29/2020 **Applies to:** - Windows 10 -- Windows Server 2016 -You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. - -In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). +You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. ## Using Intune's Built-In Policies @@ -49,38 +47,56 @@ Setting "Trust apps with good reputation" to enabled is equivalent to adding [Op ## Using a Custom OMA-URI Profile +> [!NOTE] +> Policies deployed through Intune Custom OMA-URI are subject to a 350,000 byte limit. Customers whose devices are running 1903+ builds of Windows are encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which are more streamlined and less than 350K bytes in size. + ### For 1903+ systems -The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are: +Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. + +#### Deploying policies +The steps to use Intune's Custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` + 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. + 3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. + 4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. + 5. Add a row, then give your policy a name and use the following settings: - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - **Data type**: Base64 - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. - ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) + > [!div class="mx-imgBorder"] + > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) -> [!NOTE] -> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. +#### Removing policies + +Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. ### For pre-1903 systems +#### Deploying policies The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. + 2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. + 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. + 4. Add a row, then give your policy a name and use the following settings: - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - **Data type**: Base64 - **Certificate file**: upload your binary format policy file + + > [!NOTE] + > Deploying policies via the AppLocker CSP will force a reboot during OOBE. -> [!NOTE] -> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy. +#### Removing policies + +Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy. -> [!NOTE] -> Deploying policies via the AppLocker CSP will force a reboot during OOBE. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 9b387d559d..a84b17e822 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Disable Windows Defender Application Control policies (Windows 10) description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Disable Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 9d9abf86c3..86bf4600dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10) description: Learn how to test a Windows Defender Application Control (WDAC) policy in enforced mode by following these steps in an elevated Windows PowerShell session. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Enforce Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 444430a762..b464707f61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -1,9 +1,9 @@ --- title: Understanding Application Control event IDs (Windows 10) description: Learn what different Windows Defender Application Control event IDs signify. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 3/17/2020 +ms.technology: mde --- # Understanding Application Control events diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 455177e5c9..6ee1d70486 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -1,9 +1,9 @@ --- title: Understanding Application Control event tags (Windows 10) description: Learn what different Windows Defender Application Control event tags signify. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 8/27/2020 +ms.technology: mde --- # Understanding Application Control event tags diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 293ed79adc..e6ce58fcd0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -1,10 +1,10 @@ --- title: Example WDAC base policies (Windows 10) description: When creating a WDAC policy for an organization, start from one of the many available example base policies. -keywords: security, malware +keywords: security, malware ms.topic: article ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/15/2019 +ms.technology: mde --- # Windows Defender Application Control example base policies diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 638d0f40cd..bf9cd09f77 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -1,9 +1,9 @@ --- title: Feature Availability description: Compare WDAC and AppLocker feature availability. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.author: deniseb manager: dansimp ms.date: 04/15/2020 ms.custom: asr +ms.technology: mde --- # WDAC and AppLocker feature availability diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png new file mode 100644 index 0000000000..17ab235dc3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png new file mode 100644 index 0000000000..a285f6a6bc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png new file mode 100644 index 0000000000..0a8e9e6259 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png new file mode 100644 index 0000000000..fbbad28cf2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png new file mode 100644 index 0000000000..74cf1a5f45 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png new file mode 100644 index 0000000000..13d3a31cec Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png new file mode 100644 index 0000000000..de3197aabb Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png new file mode 100644 index 0000000000..c8792c45c7 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png new file mode 100644 index 0000000000..d595591525 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png new file mode 100644 index 0000000000..0f28e5f409 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png new file mode 100644 index 0000000000..67df953a08 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png new file mode 100644 index 0000000000..53b924fcd9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png new file mode 100644 index 0000000000..d523a7f6b0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 0c2cbcf366..4d5cd8178f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -1,9 +1,9 @@ --- title: Manage packaged apps with WDAC (Windows 10) description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/29/2020 +ms.technology: mde --- # Manage Packaged Apps with Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 8437b48c3c..97f364c353 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Merge Windows Defender Application Control policies (Windows 10) description: Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. Learn how with this guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Merge Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 06d6ee7d8f..33c5abdbce 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,9 +1,9 @@ --- title: Microsoft recommended block rules (Windows 10) -description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. -keywords: security, malware +description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 04/09/2019 +ms.technology: mde --- # Microsoft recommended block rules @@ -88,6 +89,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Lasse Trolle Borup | Langkjaer Cyber Defence | |Jimmy Bayne | @bohops | |Philip Tsukerman | @PhilipTsukerman | +|Brock Mammen| |
        @@ -158,6 +160,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor + @@ -896,6 +899,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor + diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 7d56cdbe9e..3c8a72ac23 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1,9 +1,9 @@ --- title: Microsoft recommended driver block rules (Windows 10) -description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. -keywords: security, malware, kernel mode, driver +description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. +keywords: security, malware, kernel mode, driver ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 10/15/2020 +ms.technology: mde --- # Microsoft recommended driver block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 61a59f78bf..13d6752759 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -1,9 +1,9 @@ --- title: Plan for WDAC policy management (Windows 10) description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/21/2018 +ms.technology: mde --- # Plan for Windows Defender Application Control lifecycle policy management @@ -65,7 +66,7 @@ Each time that a process is blocked by WDAC, events will be written to either th Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012). -Additionally, WDAC events are collected by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature. +Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature. ## Application and user support policy diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index 19bcd021e5..ed001ad80e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,9 +1,9 @@ --- title: Query Application Control events with Advanced Hunting (Windows 10) description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 12/06/2018 +ms.technology: mde --- # Querying Application Control events centrally using Advanced hunting @@ -22,12 +23,12 @@ ms.date: 12/06/2018 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. -In November 2018, we added functionality in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. +In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view WDAC events centrally from all systems that are connected to Defender for Endpoint. -Advanced hunting in Microsoft Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. This capability is supported beginning with Windows version 1607. -Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP: +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: ``` DeviceEvents diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 134df74024..b692c51861 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -1,9 +1,9 @@ --- title: Understand WDAC policy rules and file rules (Windows 10) description: Learn how Windows Defender Application Control provides control over a computer running Windows 10 by using policies that include policy rules and file rules. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/04/2020 +ms.technology: mde --- # Understand WDAC policy rules and file rules diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 601d01340e..936314d342 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -3,7 +3,7 @@ title: Policy creation for common WDAC usage scenarios (Windows 10) description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/01/2018 +ms.technology: mde --- # Windows Defender Application Control deployment in different scenarios: types of devices @@ -41,7 +42,7 @@ In the next set of topics, we will explore each of the above scenarios using a f Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. -Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response. +Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response. > [!NOTE] > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index ae0cd53f63..9443134723 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -1,10 +1,10 @@ --- title: Understand Windows Defender Application Control policy design decisions (Windows 10) -description: Understand Windows Defender Application Control policy design decisions. -keywords: security, malware +description: Understand Windows Defender Application Control policy design decisions. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb manager: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp ms.date: 02/08/2018 +ms.technology: mde --- # Understand Windows Defender Application Control policy design decisions diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index f49176ee48..8e289e4bf3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,9 +1,9 @@ --- title: Use code signing to simplify application control for classic Windows applications (Windows 10) description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Use code signing to simplify application control for classic Windows applications diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 766037be4b..4703d016ee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -4,7 +4,7 @@ description: You can sign code integrity policies with the Device Guard signing keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ author: jsuther1974 ms.reviewer: isbrahm manager: dansimp ms.date: 02/19/2019 +ms.technology: mde --- # Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index f5a09fc5c6..c951c3b825 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -1,9 +1,9 @@ --- title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10) -description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -keywords: security, malware +description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Use signed policies to protect Windows Defender Application Control against tampering diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 79a167e2a1..5392e5253b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -5,7 +5,7 @@ keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.date: 05/03/2018 +ms.technology: mde --- # Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules @@ -33,17 +34,17 @@ As of Windows 10, version 1703, you can use WDAC policies not only to control ap To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section). -For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: +For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: ```powershell -$rule = New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin1.dll' -$rule += New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin2.dll' +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs ``` As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application: ```powershell -$rule = New-CIPolicyRule -DriverFilePath '.\winword.exe' -Level FileName -Deny -AppID '.\temp\addin3.dll' +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe' New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 5490ef7a77..9670e64011 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,9 +1,9 @@ --- title: Windows Defender Application Control and .NET Hardening (Windows 10) description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 08/20/2018 +ms.technology: mde --- # Windows Defender Application Control and .NET hardening diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 7705229827..089a7ea67f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -3,7 +3,7 @@ title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windo description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/10/2020 +ms.technology: mde --- # Authorize reputable apps with the Intelligent Security Graph (ISG) @@ -90,7 +91,7 @@ This step is not required for WDAC policies deployed over MDM using the AppLocke ## Security considerations with the Intelligent Security Graph -Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Microsoft Defender Advanced Threat Protection to help provide optics into what users are doing. +Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Microsoft Defender for Endpoint to help provide optics into what users are doing. Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the Microsoft Intelligent Security Graph option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The Microsoft Intelligent Security Graph option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index d6810894b4..c3397bfba4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -1,9 +1,9 @@ --- title: Authorize apps deployed with a WDAC managed installer (Windows 10) -description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. -keywords: security, malware +description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 08/14/2020 +ms.technology: mde --- # Authorize apps deployed with a WDAC managed installer diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 9fe4c819a1..03f0eb6f0d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -3,7 +3,7 @@ title: WDAC and AppLocker Overview description: Compare Windows application control technologies. keywords: security, malware, allow-list, block-list ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.author: deniseb manager: dansimp ms.date: 09/30/2020 ms.custom: asr +ms.technology: mde --- # Windows Defender Application Control and AppLocker Overview diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md new file mode 100644 index 0000000000..46ef9319e7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -0,0 +1,139 @@ +--- +title: Windows Defender Application Control Wizard Base Policy Creation +description: Creating new base application control policies with the Microsoft Windows Defender Application (WDAC) Wizard. +keywords: allow listing, block listing, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.topic: conceptual +ms.date: 10/14/2020 +ms.technology: mde +--- + +# Creating a new Base Policy with the Wizard + +**Applies to** +- Windows 10 +- Windows Server 2016 and above + +When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. + + +## Template Base Policies + +Each of the template policies has a unique set of policy allow list rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. + + +| Template Base Policy | Description | +|---------------------------------|-------------------------------------------------------------------| +| **Default Windows Mode** | Default Windows mode will authorize the following components:
        • Windows operating components - any binary installed by a fresh install of Windows
        • Apps installed from the Microsoft Store
        • Microsoft Office365 apps, OneDrive, and Microsoft Teams
        • Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)
        | +| **Allow Microsoft Mode** | Allow mode will authorize the following components:
        • Windows operating components - any binary installed by a fresh install of Windows
        • Apps installed from the Microsoft Store
        • Microsoft Office365 apps, OneDrive, and Microsoft Teams
        • Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)
        • *All Microsoft-signed software*
        | +| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components:
        • Windows operating components - any binary installed by a fresh install of Windows
        • Apps installed from the Microsoft Store
        • Microsoft Office365 apps, OneDrive, and Microsoft Teams
        • Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)
        • All Microsoft-signed software
        • *Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-windows-defender-application-control-with-intelligent-security-graph.md)*
        | + +*Italicized content denotes the changes in the current policy with respect to the policy prior.* + +More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md). + +![Selecting a base template for the policy](images/wdac-wizard-template-selection.png) + +Once the base template is selected, give the policy a name and choose where to save the application control policy on disk. + +## Configuring Policy Rules + +Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule will appear at the bottom of the page when the mouse hovers over the rule title. + +### Policy Rules Description + +A description of each policy rule, beginning with the left-most column, is provided below. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a full description of each policy rule. + +| Rule option | Description | +|------------ | ----------- | +| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | +| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | +| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | +|**[Hypervisor-protected code integrity (HVCI)](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.| +| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | +| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | +| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | +| **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | +| **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | +| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | + +> [!div class="mx-imgBorder"] +> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png) + +### Advanced Policy Rules Description + +Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. A description of each policy rule is provided below. + +| Rule option | Description | +|------------ | ----------- | +| **Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | +| **Disable Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. | +| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. | +| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). | +| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| +| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | + +![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png) + +> [!NOTE] +> We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. + +## Creating custom file rules + +[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules: + +### Publisher Rules + +The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule. + +| Rule Condition | WDAC Rule Level | Description | +|------------ | ----------- | ----------- | +| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. | +| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver corp, is affected. | +| **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. | +| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | + + +![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) + +### Filepath Rules + +Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button. + +### File Attribute Rules + +The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule. + +| Rule level | Description | +|------------ | ----------- | +| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. | +| **File description** | Specifies the file description provided by the developer of the binary. | +| **Product name** | Specifies the name of the product with which the binary ships. | +| **Internal name** | Specifies the internal name of the binary. | + +> [!div class="mx-imgBorder"] +> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) + +### File Hash Rules + +Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level. + + +#### Deleting Signing Rules + +The policy signing rules list table on the left of the page will document the allow and deny rules in the template, as well as any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table. + +## Up next + +- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md new file mode 100644 index 0000000000..bca81708e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -0,0 +1,112 @@ +--- +title: Windows Defender Application Control Wizard Supplemental Policy Creation +description: Creating supplemental application control policies with the WDAC Wizard. +keywords: allowlisting, blocklisting, security, malware, supplemental policy +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.topic: conceptual +ms.date: 10/14/2020 +ms.technology: mde +--- + +# Creating a new Supplemental Policy with the Wizard + +**Applies to** +- Windows 10 +- Windows Server 2016 and above + +Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. + +Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules. + +## Expanding a Base Policy + +Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation. + +![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png) + +If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed. + +![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png) + +Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md). + +![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png) + +## Configuring Policy Rules + +Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and will not be modifiable in the user interface. + +A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title. + +### Configurable Supplemental Policy Rules Description + +There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. + + +| Rule option | Description | +|------------ | ----------- | +| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | +| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | +| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. | + +![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png) + +## Creating custom file rules + +File rules in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules: + +### Publisher Rules + +The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule. + +| Rule Condition | WDAC Rule Level | Description | +|------------ | ----------- | ----------- | +| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. | +| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver publisher, is affected. | +| **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. | +| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. | + + +![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png) + +### Filepath Rules + +Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button. + +### File Attribute Rules + +The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule. + +| Rule level | Description | +|------------ | ----------- | +| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. | +| **File description** | Specifies the file description provided by the developer of the binary. | +| **Product name** | Specifies the name of the product with which the binary ships. | +| **Internal name** | Specifies the internal name of the binary. | + + +![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png) + +### File Hash Rules + +Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level. + + +#### Deleting Signing Rules + +The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table. + +## Up next + +- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md new file mode 100644 index 0000000000..2b94c7f004 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -0,0 +1,73 @@ +--- +title: Editing Windows Defender Application Control Policies with the Wizard +description: Editing existing base and supplemental policies with the Microsoft WDAC Wizard. +keywords: allowlisting, blocklisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.topic: conceptual +ms.date: 10/14/2020 +ms.technology: mde +--- + +# Editing existing base and supplemental WDAC policies with the Wizard + +**Applies to** +- Windows 10 +- Windows Server 2016 and above + +The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities: +
          +
        • [Configuring policy rules](#configuring-policy-rules)
          • +
        • [Adding new allow or block file rules to existing policies](#adding-file-rules)
          • +
        • [Removing allow or block file rules on existing policies](#removing-file-rules)
          • +
        + +## Configuring Policy Rules + +The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules). + +![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png) + +A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules). + +## Adding File Rules + +The WDAC Wizard allows users to add rules to their existing policy seamlessly. Previously, this would have involved creating a new policy with the new rules and merging it with the existing policy. + +Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules). + +## Removing File Rules + +The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. + +![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png) + +**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. + +```xml + + + + + +``` + +[comment]: <> (## Editing File Rules Coming soon!) + +### Policy Creation + +Once the policy is created, the new policy will be written to the same path as the in-edit policy. The new policy file name will have the policy version appended to the end of the file name. For instance, if the in-edit policy is saved at MyDocuments\BasePolicy.xml, after edit, the new policy will be saved at MyDocuments\BasePolicy_v10.0.0.1.xml. + +## Up next + +- [Merging WDAC policies using the Wizard](wdac-wizard-merging-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md new file mode 100644 index 0000000000..ec6e988048 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md @@ -0,0 +1,33 @@ +--- +title: Windows Defender Application Control Wizard Policy Merging Operation +description: Merging multiple policies into a single application control policy with the Microsoft WDAC Wizard. +keywords: allowlisting, blocklisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.topic: conceptual +ms.date: 10/14/2020 +ms.technology: mde +--- + +# Merging existing policies with the WDAC Wizard + +Beginning in Windows 10 version 1903, WDAC supports multiple policies. Before version 1903, however, Windows 10 could only have one WDAC policy. Consequently, users were required to merge multiple WDAC policies into one. The WDAC Wizard has a simple to use user interface to allow users to merge multiple WDAC policies. The Wizard can support up to 15 policy files as input during the merge workflow. + +Select the policies you wish to merge into one policy using the `+ Add Policy` button under the table. Once added, policies will be enumerated within the table. To remove a policy from the table, if accidentally added, highlight the policy row and select the `- Remove Policy` button. Confirmation will be required before the policy is withdrawn from the table. + +> [!NOTE] +> The policy type and ID of the final output policy will be determined based on the type and ID of the **first policy** in the policy list table. For instance, if a legacy policy format policy and a multi-policy format policy are merged together, the output format of the policy will be whichever policy is specified first in the table. For more information on policy formats, visit the [Multiple WDAC Policies page](deploy-multiple-windows-defender-application-control-policies.md). + +Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. + +![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md new file mode 100644 index 0000000000..cf315b6c1f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -0,0 +1,51 @@ +--- +title: Windows Defender Application Control Wizard +description: Microsoft Defender Application Control Wizard (WDAC) Wizard allows users to create, edit, and merge application control policies in a simple to use Windows application. +keywords: allowlisting, blocklisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.topic: conceptual +ms.date: 10/14/2020 +ms.technology: mde +--- + +# Windows Defender Application Control Wizard + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](https://docs.microsoft.com/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. + +## Downloading the application + +The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit). + +**Supported Clients** + +As the WDAC Wizard uses the cmdlets in the background, the Wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: + +- Windows builds 1909+ +- For pre-1909 builds, the Enterprise SKU of Windows is installed + +If neither requirement is satisfied, the Wizard will throw an error as the cmdlets are not available. + +## In this section + +| Topic | Description | +| - | - | +| [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. | +| [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. | +| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. | +| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. | diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 0484518b2a..68c0aa549e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -1,9 +1,9 @@ --- title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10) -description: Learn how to gather information, create a plan, and begin to test initial code integrity policies for a Windows Defender Application Control deployment. +description: Learn how to gather information, create a plan, and begin to test initial code integrity policies for a Windows Defender Application Control deployment. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/16/2018 +ms.technology: mde --- # Planning and getting started on the Windows Defender Application Control deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 1d18afd93e..0f0e3e388f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -3,7 +3,7 @@ title: Windows Defender Application Control design guide (Windows 10) description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows 10 devices. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.author: dansimp manager: dansimp ms.topic: conceptual ms.date: 02/20/2018 +ms.technology: mde --- # Windows Defender Application Control design guide @@ -45,5 +46,6 @@ Once these business factors are in place, you are ready to begin planning your W | [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | | [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | | [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. | +| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit and merge WDAC policies. | After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 8a7ad0700f..8a7fec062e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -3,7 +3,7 @@ title: Managing and troubleshooting Windows Defender Application Control policie description: Gather information about how your deployed Windows Defender Application Control policies are behaving. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/16/2020 +ms.technology: mde --- # Windows Defender Application Control operational guide @@ -24,7 +25,7 @@ ms.date: 03/16/2020 - Windows 10 - Windows Server 2016 and above -After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanced Threat Protection (MDATP) Advanced Hunting feature. +After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. ## WDAC Events Overview @@ -42,4 +43,4 @@ WDAC events are generated under two locations: | - | - | | [Understanding Application Control event IDs](event-id-explanations.md) | This topic explains the meaning of different WDAC event IDs. | | [Understanding Application Control event tags](event-tag-explanations.md) | This topic explains the meaning of different WDAC event tags. | -| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | +| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender for Endpoint. | diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index e6c525c383..5c7a82ef8a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -3,7 +3,7 @@ title: Application Control for Windows description: Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.author: deniseb manager: dansimp ms.date: 05/26/2020 ms.custom: asr +ms.technology: mde --- # Application Control for Windows diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 3179f10cb2..967180e8e6 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -3,7 +3,7 @@ title: Account protection in the Windows Security app description: Use the Account protection section to manage security for your account and sign in to Microsoft. keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index bbfe0a7bd0..d6c1337545 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -3,7 +3,7 @@ title: App & browser control in the Windows Security app description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings. keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # App and browser control diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 45a707db18..5924c85165 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -3,7 +3,7 @@ title: Customize Windows Security contact information description: Provide information to your employees on how to contact your IT department when a security issue occurs keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize the Windows Security app for your organization diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index ca606e3a6b..de163e7707 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -3,7 +3,7 @@ title: Device & performance health in the Windows Security app description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index 26a2da094f..8df410f1f3 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -3,7 +3,7 @@ title: Device security in the Windows Security app description: Use the Device security section to manage security built into your device, including virtualization-based security. keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 10/02/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Device security diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 4886c28f4d..e8003f20a2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -3,7 +3,7 @@ title: Family options in the Windows Security app description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options are not intended for business environments. keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 7a394abba3..5cf74d9fdf 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -3,7 +3,7 @@ title: Firewall and network protection in the Windows Security app description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine. keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index e4ee0c83a3..1a7d13e733 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -3,7 +3,7 @@ title: Hide notifications from the Windows Security app description: Prevent Windows Security app notifications from appearing on user endpoints keywords: defender, security center, app, notifications, av, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 07/23/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Hide Windows Security app notifications diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 63e2d82171..28d50127b4 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -3,7 +3,7 @@ title: Virus and threat protection in the Windows Security app description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products. keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index b22eec75f4..7925fe31dc 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -3,7 +3,7 @@ title: Manage Windows Security in Windows 10 in S mode description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance. keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: dansimp ms.date: 04/30/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Windows Security in Windows 10 in S mode diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index a3bf04355b..174e3b1ec8 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -3,7 +3,7 @@ title: The Windows Security app description: The Windows Security app brings together common Windows security features into one place keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ ms.author: dansimp ms.date: 10/02/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # The Windows Security app @@ -34,7 +35,7 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a ![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) > [!NOTE] -> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). You can't uninstall the Windows Security app, but you can do one of the following: diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index e389280262..8b55c05b3e 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -6,13 +6,14 @@ ms.reviewer: manager: dansimp ms.author: dansimp search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 03/01/2019 +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md index 33b2c4f62e..bb47f523e4 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md @@ -7,13 +7,14 @@ manager: dansimp ms.author: deniseb author: denisebmsft search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium ms.date: 03/01/2019 ms.custom: asr +ms.technology: mde --- @@ -83,5 +84,5 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def ![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) -After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. +After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index c141b00025..662de15893 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -2,16 +2,17 @@ title: System Guard Secure Launch and SMM protection (Windows 10) description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices. search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 03/01/2019 +ms.date: 12/28/2020 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # System Guard Secure Launch and SMM protection @@ -91,3 +92,6 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |Modern/Connected Standby|Platforms must support Modern/Connected Standby.| |Platform firmware|Platform firmware must carry all code required to perform a launch.| |Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | + +> [!NOTE] +> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md index 34b7c1beb1..00a5fecc08 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.md +++ b/windows/security/threat-protection/windows-firewall/TOC.md @@ -165,6 +165,10 @@ ## [Troubleshooting]() ### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md) +### [Filter origin audit log improvements](filter-origin-documentation.md) +### [Quarantine behavior](quarantine.md) +### [Firewall settings lost on upgrade](firewall-settings-lost-on-upgrade.md) + diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 32918a0147..9995f497a4 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -4,7 +4,7 @@ description: Learn how to add production devices to the membership group for a z ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Add Production Devices to the Membership Group for a Zone diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 6bfc87a6c3..30d809e60c 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -4,7 +4,7 @@ description: Learn how to add devices to the group for a zone to test whether yo ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Add Test Devices to the Membership Group for a Zone diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index b9c0f35fc2..0345da06fe 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -4,7 +4,7 @@ description: Use sample template files import an XML file containing customized ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Appendix A: Sample GPO Template Files for Settings Used in this Guide diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 663f7ba800..08a9798526 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -4,7 +4,7 @@ description: Learn how to use Group Policy Management MMC to assign security gro ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/02/2019 +ms.technology: mde --- # Assign Security Group Filters to the GPO diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index f8bce090ea..76378c3a0f 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -4,7 +4,7 @@ description: Protect the devices in your organization from unwanted network traf ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Basic Firewall Policy Design diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 274baf82d2..a8e18add00 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -1,10 +1,8 @@ --- title: Best practices for configuring Windows Defender Firewall description: Learn about best practices for configuring Windows Defender Firewall - keywords: firewall, best practices, security, network security, network, rules, filters, - -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +11,9 @@ author: schmurky ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article - +ms.technology: mde --- # Best practices for configuring Windows Defender Firewall diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 81e8194d88..50e2f66e16 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -4,7 +4,7 @@ description: Learn about GPOs to create that must align with the group you creat ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Boundary Zone GPOs diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 849fd51e8b..0e67454be2 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -4,7 +4,7 @@ description: Learn how a boundary zone supports devices that must receive traffi ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Boundary Zone diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 45b1bdfe0f..1b369d6c5e 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -4,7 +4,7 @@ description: This example uses a fictitious company to illustrate certificate-ba ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Certificate-based Isolation Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 38ec0654bb..7c427d50e7 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -4,7 +4,7 @@ description: Explore the methodology behind Certificate-based Isolation Policy D ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Certificate-based isolation policy design diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index d953de0a48..cbea6cabc0 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -4,7 +4,7 @@ description: Learn how to convert a rule from request to require mode and apply ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Change Rules from Request to Require Mode diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index 8d1a5f6710..a3164b6f45 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -1,10 +1,10 @@ --- title: Checklist Configuring Basic Firewall Settings (Windows 10) -description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. +description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Checklist: Configuring Basic Firewall Settings diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 9bc976625b..2ecb358ade 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -4,7 +4,7 @@ description: Use these tasks to configure connection security rules and IPsec se ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Configuring Rules for an Isolated Server Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index bb381856b4..c07a12c977 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -4,7 +4,7 @@ description: Checklist Configuring Rules for Servers in a Standalone Isolated Se ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index 4a8272c0a4..e10ef7fc18 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -4,7 +4,7 @@ description: Use these tasks to configure connection security rules and IPsec se ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Configuring Rules for the Boundary Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index b9406909c6..180c4f2168 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -4,7 +4,7 @@ description: Use these tasks to configure connection security rules and IPsec se ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Configuring Rules for the Encryption Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index dce673dded..2bccefd09c 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -4,7 +4,7 @@ description: Use these tasks to configure connection security rules and IPsec se ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Configuring Rules for the Isolated Domain diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index 4bea4169a2..d2ba4b5a27 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -4,7 +4,7 @@ description: Learn to deploy firewall settings, IPsec settings, firewall rules, ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Checklist: Creating Group Policy Objects diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index 4b04bec98e..834016bd7b 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -4,7 +4,7 @@ description: Use these tasks for creating inbound firewall rules in your GPOs fo ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Creating Inbound Firewall Rules diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index 4b03a9a468..b20cb735f9 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -4,7 +4,7 @@ description: Use these tasks for creating outbound firewall rules in your GPOs f ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Creating Outbound Firewall Rules diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 49d318d5fe..4a4c525867 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -4,7 +4,7 @@ description: Checklist for when creating rules for clients of a Standalone Isola ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 2fec691406..1aa6060a8c 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,10 +1,10 @@ --- title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) -description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. +description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Checklist: Implementing a Basic Firewall Policy Design diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 6e7e1f12f2..52c11e99ed 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -4,7 +4,7 @@ description: Use these references to learn about using certificates as an authen ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Checklist: Implementing a Certificate-based Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index f9ac702f70..1261adcbb9 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -4,7 +4,7 @@ description: Use these references to learn about the domain isolation policy des ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Checklist: Implementing a Domain Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 5428613f80..1d53748cc1 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -4,7 +4,7 @@ description: Use these tasks to create a server isolation policy design that is ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Checklist: Implementing a Standalone Server Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index 547685f707..e6fd6b4090 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -4,7 +4,7 @@ description: Learn how to configure authentication methods for devices in an iso ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Configure Authentication Methods diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 886c851257..41b2b78f6c 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -4,7 +4,7 @@ description: Learn how to configure the data protection settings for connection ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Configure Data Protection (Quick Mode) Settings diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index c619cda63c..cfc3364fe7 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -4,7 +4,7 @@ description: Learn how to configure Group Policy to automatically enroll client ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Configure Group Policy to Autoenroll and Deploy Certificates diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index 7666bdc174..f1b75a3291 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -4,7 +4,7 @@ description: Learn how to configure the main mode key exchange settings used to ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Configure Key Exchange (Main Mode) Settings diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index ca7c77dfd2..561ea0f380 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -4,7 +4,7 @@ description: Learn how to configure rules to add encryption algorithms and delet ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Configure the Rules to Require Encryption diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index 8cb54165e1..4c82249ccd 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -4,7 +4,7 @@ description: Learn how to configure Windows Defender Firewall with Advanced Secu ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Configure the Windows Defender Firewall with Advanced Security Log diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 927053f40c..7ff2117797 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -5,13 +5,14 @@ ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 07/30/2018 +ms.technology: mde --- # Configure the Workstation Authentication Certificate Template diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index e7e888bcdb..200675b11a 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -4,7 +4,7 @@ description: Configure Windows Defender Firewall with Advanced Security to suppr ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 65704e92f5..8af8ad2d89 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -4,7 +4,7 @@ description: Learn how to confirm that a Group Policy is being applied as expect ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: securit @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Confirm That Certificates Are Deployed Correctly diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 51ecd3fcb2..4020fab006 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -4,7 +4,7 @@ description: Learn how to make a copy of a GPO by using the Active Directory Use ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Copy a GPO to Create a New GPO diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index 35f885a1ee..3511ad7f7f 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -4,7 +4,7 @@ description: Learn how to create a security group for the computers that are to ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a Group Account in Active Directory diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index b2cef93530..e6e1e18867 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -4,7 +4,7 @@ description: Learn how to use the Active Directory Users and Computers MMC snap- ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a Group Policy Object diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index bdcad85769..35cb8d066a 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -4,7 +4,7 @@ description: Learn how to create rules that exempt devices that cannot communica ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Authentication Exemption List Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 38155aa557..8d9c8d6a87 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -4,7 +4,7 @@ description: Create a new rule for Windows Defender Firewall with Advanced Secur ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Authentication Request Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index 914c035aa9..c56953f28c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -4,7 +4,7 @@ description: Learn how to allow inbound ICMP traffic by using the Group Policy M ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Inbound ICMP Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 89db14ccae..05df6a67cc 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -4,7 +4,7 @@ description: Learn to allow traffic on specific ports by using the Group Policy ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Inbound Port Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index c2d887fe0d..a47d50ae43 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -4,7 +4,7 @@ description: Learn how to allow inbound traffic to a program or service by using ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Inbound Program or Service Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index db459ab562..a463162a4d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -4,7 +4,7 @@ description: Learn to block outbound traffic on a port by using the Group Policy ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Outbound Port Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index d1211abf11..fe0b68eb1d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -4,7 +4,7 @@ description: Use the Windows Defender Firewall with Advanced Security node in th ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create an Outbound Program or Service Rule diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index e44f10923b..59cb4d71cb 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -4,7 +4,7 @@ description: Learn how to allow RPC network traffic by using the Group Policy Ma ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Create Inbound Rules to Support RPC diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 9b88cddfe3..51e3460b93 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -4,7 +4,7 @@ description: Learn how to use Intune to create rules in Windows Defender Firewal ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Create Windows Firewall rules in Intune diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index ebcd8943b9..d863d37050 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -4,7 +4,7 @@ description: Learn how to use WMI filters on a GPO to make sure that each GPO fo ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/25/2017 +ms.technology: mde --- # Create WMI Filters for the GPO @@ -25,9 +26,9 @@ ms.date: 05/25/2017 To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. -- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows) - -- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo) +- [Create WMI Filters for the GPO](#create-wmi-filters-for-the-gpo) + - [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows) + - [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo) **Administrative credentials** @@ -79,6 +80,12 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" ``` + Specific versions of Windows 10 can be targeted by including the *major build version* in the query. The following query returns **true** for all devices running Windows 10 20H2 (which has a *major build version* of `19042`), and returns **false** for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information). + + ```syntax + select * from Win32_OperatingSystem where Version like "10.0.19042" and ProductType="1" + ``` + The following query returns **true** for any device running Windows Server 2016, except domain controllers: ``` syntax diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 95428bb9b0..68a9281a43 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -4,7 +4,7 @@ description: Answer the question in this article to design an effective Windows ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Designing a Windows Defender Firewall with Advanced Security Strategy diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index b4f3c5a658..89fca32581 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -4,7 +4,7 @@ description: Learn how to define the trusted state of devices in your enterprise ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Determining the Trusted State of Your Devices diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 6ed3a0bf2a..e8f37ee452 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -4,7 +4,7 @@ description: Learn how to document the zone placement of devices in your design ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Documenting the Zones diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index bdc9a665db..0e7f47576b 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -4,7 +4,7 @@ description: This example uses a fictitious company to illustrate domain isolati ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain Isolation Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index ab6c8e4327..6c13157e59 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -4,7 +4,7 @@ description: Learn how to design a domain isolation policy, based on which devic ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Domain Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 8882aa43b5..0a1b0212b6 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -4,7 +4,7 @@ description: Learn the rules for Windows Defender Firewall with Advanced Securit ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Enable Predefined Inbound Rules diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 92491a2ab8..28e4f8649e 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -4,7 +4,7 @@ description: Learn to deploy predefined firewall rules that block outbound netwo ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Enable Predefined Outbound Rules diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index 33338e8b52..9dc32a7f67 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -4,7 +4,7 @@ description: Learn how to add a device to an encryption zone by adding the devic ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Encryption Zone GPOs diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 715a2eef02..3fba99acba 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -4,7 +4,7 @@ description: Learn how to create an encryption zone to contain devices that host ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Encryption Zone diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 8ac067b11e..2f7a20377f 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -4,7 +4,7 @@ description: Evaluating Windows Defender Firewall with Advanced Security Design ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Evaluating Windows Defender Firewall with Advanced Security Design Examples diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index 5b87eef36e..38c6fd67c7 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -4,7 +4,7 @@ description: Learn how to add exemptions for any network traffic that uses the I ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Exempt ICMP from Authentication diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index eb4909a401..b923df309c 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -4,7 +4,7 @@ description: Learn about reasons to add devices to an exemption list in Windows ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Exemption List diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md new file mode 100644 index 0000000000..e890a72528 --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -0,0 +1,172 @@ +--- +title: Filter origin audit log improvements +description: Filter origin documentation audit log improvements +ms.reviewer: +ms.author: v-bshilpa +ms.prod: m365-security +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: normal +author: Benny-54 +manager: dansimp +ms.collection: + - m365-security-compliance + - m365-initiative-windows-security +ms.topic: troubleshooting +ms.technology: mde +--- + +# Filter origin audit log improvements + +Debugging packet drops is a continuous issue to Windows customers. In the past, customers had limited information about packet drops. + +Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. + +![Event properties](images/event-properties-5157.png) + +The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. + +However, the filter ID is not a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This makes the diagnosis process error-prone and difficult. + +For customers to debug packet drop events correctly and efficiently, they would need more context about the blocking filter such as its origin. + +The blocking filters can be categorized under these filter origins: + +1. Firewall rules + +2. Firewall default block filters + + a. AppContainer loopback + + b. Boottime default + + c. Quarantine default + + d. Query user default + + e. Stealth + + f. Universal Windows Platform (UWP) default + + g. Windows Service Hardening (WSH) default + +The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release. + + ## Improved firewall audit + +The two new fields added to the audit 5157 and 5152 events are `Filter Origin` and `Interface Index`. + +The `Filter Origin` field helps identify the cause of the drop. Packet drops from firewall are explicitly dropped by default block filters created by the Windows Firewall service or a firewall rule that may be created by users, policies, services, apps, etc. + +`Filter Origin` specifies either the rule ID (a unique identifier of a Firewall rule) or the name of one of the default block filters. + +The `Interface Index` field specifies the network interface in which the packet was dropped. This field helps to identify which interface was quarantined, if the `Filter Origin` is a `Quarantine Default`. + +To enable a specific audit event, run the corresponding command in an administrator command prompt: + +|**Audit #**|**Enable command**|**Link**| +|:-----|:-----|:-----| +|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157)| +|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5152)| + +## Example flow of debugging packet drops with filter origin + +As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on. + +![Event audit](images/event-audit-5157.png) + +The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**. + +## Firewall rules + +Run the following PowerShell command to generate the rule information using `Filter Origin`. + +```Powershell +Get-NetFirewallRule -Name “” +Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} " +``` + +![Firewall rule](images/firewallrule.png) + +After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`. + +>[!NOTE] +> Firewall rules from Mobile Device Management (MDM) store cannot be searched using the Windows Defender UI. Additionally, the above method will not work when the `Filter Origin` is one of the default block filters, as they do not correspond to any firewall rules. + +## Firewall default block filters + +**AppContainer loopback** + +Network drop events from the AppContainer loopback block filter origin occur when localhost loopback is not enabled properly for the Universal Windows Platform (UWP) app. + +To enable localhost loopback in a local debugging environment, see [Communicating with localhost](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback). + +To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged win32 app, see [uap4:LoopbackAccessRules](https://docs.microsoft.com/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules). + +**Boottime default** + +Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service is not yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it is not possible to add boottime filters through firewall rules. + +**Quarantine default** + +Network drops from the quarantine default block filter occur when the interface is temporarily quarantined by Firewall service. The firewall service quarantines an interface when it detects a change on the network, and based on several other factors, the firewall service may put the interface in quarantine as a safeguard. When an interface is in quarantine, the quarantine default block filter will block any new non-loopback inbound connections. + +Run the following PowerShell command to generate more information about the interface: + +```Powershell +Get-NetIPInterface –InterfaceIndex +Get-NetIPInterface –InterfaceIndex 5 +``` + +![Quarantine default block filter](images/quarantine-default-block-filter.png) + +To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md). + +>[!NOTE] +> Quarantine-related packet drops are often transient and signify nothing more than a network change on the interface. + +**Query user default** + +Network packet drops from query user default block filters occur when there is no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but does not have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops: + +1. Create an inbound firewall rule to allow the packet for this application. This will allow the packet to bypass any query user default block filters. + +2. Delete any block query user rules that may have been auto generated by the firewall service. + +To generate a list of all the query user block rules, you can run the following PowerShell command: + +```Powershell +Get-NetFirewallRule | Where {$_.Name -like "*Query User*"} +``` + +![Query user default block filter](images/query-user-default-block-filters.png) + +The query user pop-up feature is enabled by default. + +To disable the query user pop-up, you can run the following in administrative command prompt: + +```Console +Netsh set allprofiles inboundusernotification disable +``` +Or in PowerShell: + +```Powershell +Set-NetFirewallProfile -NotifyOnListen False +``` + +**Stealth** + +Network drops from stealth filters are typically made to prevent port scanning. + +To disable stealth-mode, see [Disable stealth mode in Windows](https://docs.microsoft.com/troubleshoot/windows-server/networking/disable-stealth-mode). + +**UWP default** + +Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback is not enabled) or the private range is configured incorrectly. + +For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall). + +**WSH default** + +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. + diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index 8a214a169f..faa8a0d788 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -4,7 +4,7 @@ description: In this example, a Group Policy Object is linked to the domain cont ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Firewall GPOs diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index ca7bc12d6f..8c8fb36ee5 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -4,7 +4,7 @@ description: This example features a fictitious company and illustrates firewall ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Basic Firewall Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md new file mode 100644 index 0000000000..cb36df4ddd --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -0,0 +1,42 @@ +--- +title: Troubleshooting Windows Firewall settings after a Windows upgrade +description: Firewall settings lost on upgrade +ms.reviewer: +ms.author: v-bshilpa +ms.prod: m365-security +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: Benny-54 +manager: dansimp +ms.collection: + - m365-security-compliance + - m365-initiative-windows-security +ms.topic: troubleshooting +ms.technology: mde +--- + +# Troubleshooting Windows Firewall settings after a Windows upgrade + +Use this article to troubleshoot firewall settings that are turned off after upgrading to a new version of Windows. + +## Rule groups + +To help you organize your list, individual built-in firewall rules are categorized within a group. For example, the following rules form part of the Remote Desktop group. + +- Remote Desktop – Shadow (TCP-In) +- Remote Desktop – User Mode (TCP-In) +- Remote Desktop – User-Mode (UDP-In) + +Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows admins to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch. + +```Powershell +Get-NetFirewallRule -Group +``` + +> [!NOTE] +> Microsoft recommends to enable or disable an entire group instead of individual rules. + +Microsoft recommends that you enable/disable all of the rules within a group instead of one or two individual rules. This is because groups are not only used to organize rules and allow batch rule modification by type, but they also represent a 'unit' by which rule state is maintained across a Windows upgrade. Rule groups, as opposed to individual rules, are the unit by which the update process determines what should be enabled/disabled when the upgrade is complete. + +For example, the Remote Desktop group consists of three rules. To ensure that the rule set is properly migrated during an upgrade, all three rules must be enabled. If only one rule is enabled, the upgrade process will see that two of three rules are disabled and subsequently disable the entire group to maintain a clean, out-of-the-box configuration. This scenario has the unintended consequence of breaking Remote Desktop Protocol (RDP) connectivity to the host. diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 56c50d121a..35ed36b193 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -4,7 +4,7 @@ description: Learn about gathering Active Directory information, including domai ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Gathering Information about Your Active Directory Deployment diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index dc11219314..97aed509bc 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -4,7 +4,7 @@ description: Learn how to gather info about your network infrastructure so that ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Gathering Information about Your Current Network Infrastructure diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 0d8532e07e..1e9b7fee54 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -4,7 +4,7 @@ description: Learn what information to gather about the devices in your enterpri ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Gathering Information about Your Devices diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index 44b471961b..8d8f65a0a5 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -4,7 +4,7 @@ description: Learn about additional information you may need to gather to deploy ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Gathering Other Relevant Information diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index 3d79b04f30..fbdf23f73f 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -4,7 +4,7 @@ description: Collect and analyze information about your network, directory servi ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Gathering the Information You Need diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index ca757eeba4..4ea713f793 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -4,7 +4,7 @@ description: This example GPO supports devices that are not part of the isolated ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # GPO\_DOMISO\_Boundary diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index 7ca03d22e7..7c81975bea 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -9,12 +9,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium ms.date: 08/17/2017 +ms.technology: mde --- # GPO\_DOMISO\_Encryption\_WS2008 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 3cba8b312c..7799c8484f 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -4,7 +4,7 @@ description: Learn about the settings and rules in this example GPO, which is au ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # GPO\_DOMISO\_Firewall diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index bc1c471475..c5c16902b2 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -4,7 +4,7 @@ description: Author this GPO by using the Windows Defender Firewall with Advance ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # GPO\_DOMISO\_IsolatedDomain\_Clients diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index de34b9c3ad..a7e5651251 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -4,7 +4,7 @@ description: Author this GPO by using the Windows Defender Firewall wit ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # GPO\_DOMISO\_IsolatedDomain\_Servers diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 96725d8ff3..738e348ccd 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -4,7 +4,7 @@ description: Identifying Your Windows Defender Firewall with Advanced Security ( ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Identifying Windows Defender Firewall with Advanced Security implementation goals diff --git a/windows/security/threat-protection/windows-firewall/images/event-audit-5157.png b/windows/security/threat-protection/windows-firewall/images/event-audit-5157.png new file mode 100644 index 0000000000..a81af9fd83 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/event-audit-5157.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/event-properties-5157.png b/windows/security/threat-protection/windows-firewall/images/event-properties-5157.png new file mode 100644 index 0000000000..8b0fc9cc89 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/event-properties-5157.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/firewallrule.png b/windows/security/threat-protection/windows-firewall/images/firewallrule.png new file mode 100644 index 0000000000..040511d279 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/firewallrule.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/quarantine-default-block-filter.png b/windows/security/threat-protection/windows-firewall/images/quarantine-default-block-filter.png new file mode 100644 index 0000000000..e57ad13f93 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/quarantine-default-block-filter.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/quarantine-default1.png b/windows/security/threat-protection/windows-firewall/images/quarantine-default1.png new file mode 100644 index 0000000000..4c7a173be7 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/quarantine-default1.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/quarantine-interfaceindex1.png b/windows/security/threat-protection/windows-firewall/images/quarantine-interfaceindex1.png new file mode 100644 index 0000000000..d6679e1e0e Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/quarantine-interfaceindex1.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/query-user-default-block-filters.png b/windows/security/threat-protection/windows-firewall/images/query-user-default-block-filters.png new file mode 100644 index 0000000000..ca61aae7e2 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/query-user-default-block-filters.png differ diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 841c88ae5d..7b95852c3d 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -4,7 +4,7 @@ description: Implementing Your Windows Defender Firewall with Advanced Security ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Implementing Your Windows Defender Firewall with Advanced Security Design Plan diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index a07f984898..878839f37f 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -4,7 +4,7 @@ description: Learn about GPOs for isolated domains in this example configuration ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Isolated Domain GPOs diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index 90b121b86e..1b9d83e173 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -4,7 +4,7 @@ description: Learn about the isolated domain, which is the primary zone for trus ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Isolated Domain diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index 169d59a2df..bfd7f19f0a 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -1,7 +1,7 @@ --- title: Isolating Microsoft Store Apps on Your Network (Windows 10) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.topic: conceptual ms.date: 10/13/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Isolating Microsoft Store Apps on Your Network diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 9f710aa000..7759669531 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -4,7 +4,7 @@ description: Learn how to link a GPO to the Active Directory container for the t ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Link the GPO to the Domain diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 314389955f..ee043c54a0 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,10 +1,10 @@ --- title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10) -description: Mapping your implementation goals to a Windows Firewall with Advanced Security design +description: Mapping your implementation goals to a Windows Firewall with Advanced Security design ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Mapping your implementation goals to a Windows Firewall with Advanced Security design diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 9a78732eb3..2f2ec6ad54 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -4,7 +4,7 @@ description: Learn how to modify GPO filters to apply to a different zone or ver ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Modify GPO Filters to Apply to a Different Zone or Version of Windows diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 63c6cbf6d2..7046b6230b 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -4,7 +4,7 @@ description: Learn how to open the Group Policy Management Console to IP Securit ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Open the Group Policy Management Console to IP Security Policies diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index ae4136db06..5c3d340ea4 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -4,7 +4,7 @@ description: Group Policy Management of Windows Firewall with Advanced Security ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Group Policy Management of Windows Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 134a6bb928..2c7d2f500b 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -4,7 +4,7 @@ description: Group Policy Management of Windows Defender Firewall with Advanced ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/02/2017 +ms.technology: mde --- # Group Policy Management of Windows Defender Firewall diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 3d67c96d9d..1b99cfae07 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -4,7 +4,7 @@ description: Learn how to open the Windows Defender Firewall with Advanced Secur ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Open Windows Defender Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index b2b2a0467b..0f8b7c455f 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -4,7 +4,7 @@ description: Learn how a device unable to join an Active Directory domain can st ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Planning Certificate-based Authentication diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index 5a7fcb44a2..af5214261c 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -4,7 +4,7 @@ description: Learn how to use information you have gathered to make decisions ab ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Planning Domain Isolation Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 831200cf48..0f0993409e 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -4,7 +4,7 @@ description: Learn how to use security group filtering and WMI filtering to prov ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Planning GPO Deployment diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 22f031c902..7899c1c091 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -4,7 +4,7 @@ description: Learn how to plan a group policy deployment for your isolation zone ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Planning Group Policy Deployment for Your Isolation Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index cef2c16969..c4fff5ce81 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -4,7 +4,7 @@ description: Learn about planning isolation groups for the zones in Microsoft Fi ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Planning Isolation Groups for the Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 5cb6ff075c..57d452edac 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -4,7 +4,7 @@ description: Learn how to implement a network access group for users and devices ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Planning Network Access Groups diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index b1af014fa5..a89145ab4a 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -4,7 +4,7 @@ description: Learn how to restrict access to a server to approved users by using ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Planning Server Isolation Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index 5a8cd1a017..ce989c23c6 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -4,7 +4,7 @@ description: Learn how to design a basic policy for Windows Defender Firewall wi ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Planning Settings for a Basic Firewall Policy diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 80b776ca44..8bb1208626 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -4,7 +4,7 @@ description: Learn about planning Group Policy Objects for your isolation zones ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Planning the GPOs diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 74dacfe608..7dabf87126 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -4,7 +4,7 @@ description: Use the design information in this article to plan for the deployme ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Planning to Deploy Windows Defender Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 29b25a7dd2..437bb3fbeb 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -4,7 +4,7 @@ description: After you gather the relevant information, select the design or com ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Planning Your Windows Defender Firewall with Advanced Security Design diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index 643f41ab14..e301390ef9 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -4,7 +4,7 @@ description: Refer to this summary of procedures for Windows Defender Firewall w ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Procedures Used in This Guide diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index a05d8eb5a3..233776996f 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -4,7 +4,7 @@ description: Learn how running a host-based firewall on every device in your org ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Protect devices from unwanted network traffic diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md new file mode 100644 index 0000000000..be83308889 --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -0,0 +1,214 @@ +--- +title: Quarantine behavior +description: Quarantine behavior is explained in detail. +ms.author: v-bshilpa +author: Benny-54 +manager: dansimp +ms.assetid: +ms.reviewer: +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: normal +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/17/2020 +ms.technology: mde +--- + +# Quarantine behavior + +One of the security challenges that network admins face is configuring a machine properly after a network change. + +Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities. + +To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine. + +While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations. + +Ultimately, the goal of this document is to describe the quarantine feature at a high level and help network admins understand why the application traffic is sometimes blocked by quarantine. + +## Quarantine filters + +The quarantine feature creates filters that can be split into three categories: + +- Quarantine default inbound block filter +- Quarantine default exception filters +- Interface un-quarantine filters + +These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers are: + +1. FWPM_LAYER_ALE_AUTH_CONNECT_V4 + +2. FWPM_LAYER_ALE_AUTH_CONNECT_V6 + +3. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 + +4. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 + +>[!NOTE] +> Any firewall rules added by the customers will not affect the filters in the quarantine sublayer as filters from Firewall rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters. + +For more information about WFP layers and sublayers, see [WFP Operation](https://docs.microsoft.com/windows/win32/fwp/basic-operation). + +### Quarantine default inbound block filter + +The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet is not explicitly permitted by another filter in the quarantine sublayer. + +### Quarantine default exception filters + +When the interface is in quarantine state, the quarantine default exception filters will permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state. + +### Interface un-quarantine filter + +The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized. + +## Quarantine flow + +The following describes the general flow of quarantine: + +1. There is some change on the current network interface. + +2. The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state. + +3. All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter. + +4. The WFP filters applicable to the old interface state are removed. + +5. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state. + +6. The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets. + +## Quarantine diagnostics + +There are two methods of identifying packet drops from the quarantine default inbound block filter. + +Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt: + +```console +Netsh wfp cap start + +Netsh wfp cap stop +``` + +These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains drop `netEvents` and filters that existed during that reproduction. + +Inside the wfpdiag.xml, search for `netEvents` that have `FWPM_NET_EVENT_TYPE_CLASSIFY_DROP` as the `netEvent` type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name. + +The characters in the application ID name will be separated by periods: + +```XML + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... +``` + +The `netEvent` will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more. + +If the filter that dropped that packet was by the quarantine default inbound block filter, then the drop `netEvent` will have `filterOrigin` as `Quarantine Default`. + +The following is a sample `netEvent` with `filterOrigin` as `Quarantine Default`. + +```XML + +
        + 2020-10-07T01:03:56.281Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 17 + 255.255.255.255 + 10.195.33.252 + 21 + 61706 + 0 + + 5c00640065006d00330032005c0073007600630068006f00730074002e006500780065000000 + \.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e... + + S-1-5-19 + FWP_AF_INET + S-1-0-0 + + 0 + +
        + FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + + 66241 + 44 + 0 + 0 + 0 + MS_FWP_DIRECTION_OUT + false + + 0 + 0 + + + + FWPM_NET_EVENT_INTERNAL_FLAG_FILTER_ORIGIN_SET + + + 0 + + + + 66241 + FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE + FWP_ACTION_BLOCK + + + 74045 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_BLOCK + + + 73602 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_BLOCK + + + Quarantine Default + 5 + +         + +``` + +Alternatively, If the Filtering Platform Connection failure auditing is enabled, the drop event will be logged in Windows Event Viewer. + +To enable Filtering Platform Connection audits, run the following command in an administrative command prompt: + +```console +Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable +``` + +Sample drop audit with `filterOrigin` as `Quarantine Default`. + +![Quarantine default](images/quarantine-default1.png) + +Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface: + +```Powershell +Get-NetIPInterface –InterfaceIndex +Get-NetIPInterface –InterfaceIndex 5 +``` + +![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png) + +Using the interface name, event viewer can be searched for any interface related changes. + +To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)?redirectedfrom=MSDN). + +Packet drops from the quarantine default inbound block filter are often transient and do not signify anything more than a network change on the interface. diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index a79aedce9d..81a548b4ee 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -4,7 +4,7 @@ description: Windows Defender Firewall with Advanced Security allows you to requ ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Require Encryption When Accessing Sensitive Network Resources diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 117070ef88..a50232fe28 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -4,7 +4,7 @@ description: Restrict access to devices and users that are members of domain gro ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Restrict Access to Only Specified Users or Computers diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 27007f7718..d7de7d8963 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -4,7 +4,7 @@ description: Windows Defender Firewall with Advanced Security enables you to iso ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Restrict access to only trusted devices diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 92f54d794a..a9a24aa516 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -4,7 +4,7 @@ description: Create a firewall rule to access isolated servers running Windows S ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Restrict Server Access to Members of a Group Only diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 5ded02bd51..d074ada7fc 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -1,7 +1,7 @@ --- title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.topic: conceptual ms.date: 08/17/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Securing End-to-End IPsec connections by using IKEv2 diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index 8286d47f26..bb23429112 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -4,7 +4,7 @@ description: Learn about required GPOs for isolation zones and how many server i ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Server Isolation GPOs diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index daba2b5e2c..0e2b6ce11e 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -4,7 +4,7 @@ description: Learn about server isolation policy design in Windows Defender Fire ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Server Isolation Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index d5c4333424..f4d452b4cf 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -4,7 +4,7 @@ description: Learn about server isolation policy design, where you assign server ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Server Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 00bdfd5630..ca95cee02b 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -1,19 +1,19 @@ --- title: Troubleshooting UWP App Connectivity Issues in Windows Firewall description: Troubleshooting UWP App Connectivity Issues in Windows Firewall - ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp ms.collection: -- m365-security-compliance -- m365-initiative-windows-security + - m365-security-compliance + - m365-initiative-windows-security ms.topic: troubleshooting +ms.technology: mde --- # Troubleshooting UWP App Connectivity Issues diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 0b72885c6e..b6a468447e 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -4,7 +4,7 @@ description: Turn on Windows Defender Firewall with Advanced Security and Config ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 0449d6b01f..6a77eda3f7 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,7 +1,7 @@ --- title: Understand WFAS Deployment (Windows 10) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.topic: conceptual ms.date: 08/17/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Understanding the Windows Defender Firewall with Advanced Security Design Process diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index a7178f39fe..113c3c0cc2 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -4,7 +4,7 @@ description: Learn how to confirm that network traffic is being protected by IPs ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Verify That Network Traffic Is Authenticated diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 4daaa5d367..c21749b77b 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -1,7 +1,7 @@ --- title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10) description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.topic: conceptual ms.date: 08/17/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Windows Defender Firewall with Advanced Security Administration with Windows PowerShell diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index ddb0304065..9a3954cc03 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -4,7 +4,7 @@ description: Use this guide to deploy Windows Defender Firewall with Advanced Se ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/17/2017 +ms.technology: mde --- # Windows Defender Firewall with Advanced Security deployment overview diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 98fe19379f..e1a438412f 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -4,7 +4,7 @@ description: Learn about common goals for using Windows Defender Firewall with A ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/05/2017 +ms.technology: mde --- # Windows Defender Firewall with Advanced Security design guide diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 00b1374150..e3becc881c 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -1,7 +1,7 @@ --- title: Windows Defender Firewall with Advanced Security (Windows 10) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.topic: conceptual ms.date: 10/21/2020 ms.reviewer: ms.custom: asr +ms.technology: mde --- # Windows Defender Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 3dece2757f..3bcba3890f 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -1,9 +1,9 @@ --- title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. -ms.prod: w10 +ms.prod: m365-security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management @@ -11,6 +11,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 3/20/2019 ms.reviewer: +ms.technology: mde --- # Common Criteria Certifications diff --git a/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png index 8f94ffe396..fd26c617e2 100644 Binary files a/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png and b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png differ diff --git a/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png index bad3e1c0b3..9e07180cff 100644 Binary files a/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png and b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png differ diff --git a/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png index fe3245e60a..c78584b31e 100644 Binary files a/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png and b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png differ diff --git a/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png index ee8aa78bbc..ff2190d062 100644 Binary files a/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png and b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png differ diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index eb25e2cf9c..1ea2225ff6 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -1,7 +1,7 @@ --- title: Windows Sandbox architecture description: -ms.prod: w10 +ms.prod: m365-security audience: ITPro author: dansimp ms.author: dansimp @@ -11,6 +11,7 @@ ms.topic: article ms.localizationpriority: ms.date: ms.reviewer: +ms.technology: mde --- # Windows Sandbox architecture diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 16214a5f59..6eb53f8e15 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -1,7 +1,7 @@ --- title: Windows Sandbox configuration description: -ms.prod: w10 +ms.prod: m365-security audience: ITPro author: dansimp ms.author: dansimp @@ -11,17 +11,15 @@ ms.topic: article ms.localizationpriority: medium ms.date: ms.reviewer: +ms.technology: mde --- # Windows Sandbox configuration -Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. +Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension. -Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here: +A configuration file enables the user to control the following aspects of Windows Sandbox: -**C:\Temp> MyConfigFile.wsb** - - A configuration file enables the user to control the following aspects of Windows Sandbox: - **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP). - **Networking**: Enable or disable network access within the sandbox. - **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data. @@ -33,13 +31,39 @@ Windows Sandbox configuration files are formatted as XML and are associated with - **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth. - **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox. -**Keywords, values, and limits** +## Creating a configuration file -**vGPU**: Enables or disables GPU sharing. +To create a simple configuration file: + +1. Open a plain text editor or source code editor (e.g. Notepad, Visual Studio Code, etc.) +2. Insert the following lines: + + ```XML + + + ``` + +3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below. +4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, e.g. `"My config file.wsb"`. + +## Using a configuration file + +To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here: + +```batch +C:\Temp> MyConfigFile.wsb +``` + +## Keywords, values, and limits + +### vGPU + +Enables or disables GPU sharing. `value` Supported values: + - *Enable*: Enables vGPU support in the sandbox. - *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU. - *Default* This is the default value for vGPU support. Currently this means vGPU is disabled. @@ -47,7 +71,9 @@ Supported values: > [!NOTE] > Enabling virtualized GPU can potentially increase the attack surface of the sandbox. -**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. +### Networking + +Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. `value` @@ -58,7 +84,9 @@ Supported values: > [!NOTE] > Enabling networking can expose untrusted applications to the internal network. -**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop. +### Mapped folders + +An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop. ```xml @@ -83,7 +111,9 @@ Supported values: > [!NOTE] > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. -**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. +### Logon command + +Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. ```xml @@ -96,7 +126,9 @@ Supported values: > [!NOTE] > Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive. -**Audio input**: Enables or disables audio input to the sandbox. +### Audio input + +Enables or disables audio input to the sandbox. `value` @@ -108,7 +140,9 @@ Supported values: > [!NOTE] > There may be security implications of exposing host audio input to the container. -**Video input**: Enables or disables video input to the sandbox. +### Video input + +Enables or disables video input to the sandbox. `value` @@ -120,7 +154,9 @@ Supported values: > [!NOTE] > There may be security implications of exposing host video input to the container. -**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface. +### Protected client + +Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface. `value` @@ -132,7 +168,9 @@ Supported values: > [!NOTE] > This setting may restrict the user's ability to copy/paste files in and out of the sandbox. -**Printer redirection**: Enables or disables printer sharing from the host into the sandbox. +### Printer redirection + +Enables or disables printer sharing from the host into the sandbox. `value` @@ -141,7 +179,9 @@ Supported values: - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. - *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled. -**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox. +### Clipboard redirection + +Enables or disables sharing of the host clipboard with the sandbox. `value` @@ -149,16 +189,18 @@ Supported values: - *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. - *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*. -**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB). +### Memory in MB + +Specifies the amount of memory that the sandbox can use in megabytes (MB). `value` If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. -***Example 1*** +## Example 1 The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. -*Downloads.wsb* +### Downloads.wsb ```xml @@ -177,7 +219,7 @@ The following config file can be used to easily test downloaded files inside the ``` -***Example 2*** +## Example 2 The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. @@ -185,9 +227,9 @@ Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSC With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it. -*VSCodeInstall.cmd* +### VSCodeInstall.cmd -```console +```batch REM Download Visual Studio Code curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe @@ -195,7 +237,7 @@ REM Install and run Visual Studio Code C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes ``` -*VSCode.wsb* +### VSCode.wsb ```xml diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index e7b8a53f7a..81f95a98be 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -1,7 +1,7 @@ --- -title: Windows Sandbox +title: Windows Sandbox description: -ms.prod: w10 +ms.prod: m365-security audience: ITPro author: dansimp ms.author: dansimp @@ -11,6 +11,7 @@ ms.topic: article ms.localizationpriority: ms.date: ms.reviewer: +ms.technology: mde --- # Windows Sandbox @@ -55,7 +56,7 @@ The following video provides an overview of Windows Sandbox. 1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. ## Usage -1. Copy an executable file (and any other files needed to run the application) from the host into the Windows Sandbox window. +1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. 2. Run the executable file or installer inside the sandbox. 3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **ok**. 4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox. diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index a0f657a331..1dff3c58b3 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -2,7 +2,7 @@ title: Windows security baselines description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Microsoft 365 Apps for enterprise. keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 ms.reviewer: +ms.technology: mde --- # Windows security baselines diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index d4412fe665..dc04dd3986 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -2,7 +2,7 @@ title: Get support for Windows security baselines description: Find answers to frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics. keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 ms.reviewer: +ms.technology: mde --- # Get Support @@ -40,7 +41,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. -**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?** +**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?** No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 32282b709b..43cab9aa77 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -2,7 +2,7 @@ title: Microsoft Security Compliance Toolkit 1.0 Guide description: This article describes how to use the Security Compliance Toolkit in your organization keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/26/2018 ms.reviewer: +ms.technology: mde --- # Microsoft Security Compliance Toolkit 1.0 diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index c5be88f4ea..6f6dcedfad 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -2,7 +2,7 @@ title: Windows security baselines guide description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server 2016, and Office 2016. keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 ms.reviewer: +ms.technology: mde --- # Windows security baselines diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index d4d30ecdba..ad59eb692c 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -41,7 +41,16 @@ "depot_name": "MSDN.win-threat-protection", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/update/docfx.json b/windows/update/docfx.json index c5ef1b98ba..769331235a 100644 --- a/windows/update/docfx.json +++ b/windows/update/docfx.json @@ -35,7 +35,16 @@ "depot_name": "MSDN.windows-update", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md deleted file mode 100644 index 9be4f860e1..0000000000 --- a/windows/whats-new/TOC.md +++ /dev/null @@ -1,12 +0,0 @@ -# [What's new in Windows 10](index.md) -## [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md) -## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) -## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) -## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) -## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) -## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) -## Previous versions -### [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) -### [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) -### [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -### [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml new file mode 100644 index 0000000000..a0d1667af2 --- /dev/null +++ b/windows/whats-new/TOC.yml @@ -0,0 +1,24 @@ +- name: What's new in Windows 10 + href: index.yml +- name: What's new in Windows 10, version 20H2 + href: whats-new-windows-10-version-20H2.md +- name: What's new in Windows 10, version 2004 + href: whats-new-windows-10-version-2004.md +- name: What's new in Windows 10, version 1909 + href: whats-new-windows-10-version-1909.md +- name: What's new in Windows 10, version 1903 + href: whats-new-windows-10-version-1903.md +- name: What's new in Windows 10, version 1809 + href: whats-new-windows-10-version-1809.md +- name: What's new in Windows 10, version 1803 + href: whats-new-windows-10-version-1803.md +- name: Previous versions + items: + - name: What's new in Windows 10, version 1709 + href: whats-new-windows-10-version-1709.md + - name: What's new in Windows 10, version 1703 + href: whats-new-windows-10-version-1703.md + - name: What's new in Windows 10, version 1607 + href: whats-new-windows-10-version-1607.md + - name: What's new in Windows 10, versions 1507 and 1511 + href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 5ff6fb5017..04908deceb 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -3,7 +3,8 @@ "content": [ { "files": [ - "**/*.md" + "**/*.md", + "**/*.yml" ], "exclude": [ "**/obj/**", @@ -32,6 +33,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "ms.topic": "article", "audience": "ITPro", @@ -44,7 +46,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "What's new in Windows" + "titleSuffix": "What's new in Windows", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md deleted file mode 100644 index 559ab66233..0000000000 --- a/windows/whats-new/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. -ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 -keywords: ["What's new in Windows 10", "Windows 10"] -ms.prod: w10 -audience: itpro -author: greg-lindsay -ms.author: greglin -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# What's new in Windows 10 - -Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. - -## In this section - -- [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md) -- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) -- [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) -- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) -- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) -- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) - - -## Learn more - -- [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) -- [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-information/status-windows-10-2004) -- [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history) -- [What’s new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new) -- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features) -- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features) -- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) - -## See also - -[Windows 10 Enterprise LTSC](ltsc/index.md)
        -[Edit an existing topic using the Edit link](contribute-to-a-topic.md) - diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml new file mode 100644 index 0000000000..20d56ff5c8 --- /dev/null +++ b/windows/whats-new/index.yml @@ -0,0 +1,68 @@ +### YamlMime:Landing + +title: What's new in Windows 10 # < 60 chars +summary: Find out about new features and capabilities in the latest release of Windows 10. # < 160 chars + +metadata: + title: What's new in Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find out about new features and capabilities in the latest release of Windows 10. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 02/09/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: What's new in Windows 10 + linkLists: + - linkListType: overview + links: + - text: What's new in Windows 10, version 20H2 + url: whats-new-windows-10-version-20H2.md + - text: What's new in Windows 10, version 2004 + url: whats-new-windows-10-version-2004.md + - text: What's new in Windows 10, version 1909 + url: whats-new-windows-10-version-1909.md + - text: What's new in Windows 10, version 1903 + url: whats-new-windows-10-version-1903.md + - text: What's new in Windows 10, version 1809 + url: whats-new-windows-10-version-1809.md + - text: What's new in Windows 10, version 1803 + url: whats-new-windows-10-version-1803.md + + # Card (optional) + - title: Learn more + linkLists: + - linkListType: overview + links: + - text: Windows 10 release information + url: https://docs.microsoft.com/en-us/windows/release-health/release-information + - text: Windows 10 release health dashboard + url: https://docs.microsoft.com/windows/release-information/ + - text: Windows 10 update history + url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3 + - text: Windows 10 features we’re no longer developing + url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features + - text: Features and functionality removed in Windows 10 + url: https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features + - text: Compare Windows 10 Editions + url: https://go.microsoft.com/fwlink/p/?LinkId=690485 + + # Card (optional) + - title: See also + linkLists: + - linkListType: overview + links: + - text: Windows 10 Enterprise LTSC + url: ltsc/index.md + - text: Edit an existing topic using the Edit link + url: contribute-to-a-topic.md \ No newline at end of file diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md index e49aee21fc..a16525cda0 100644 --- a/windows/whats-new/ltsc/TOC.md +++ b/windows/whats-new/ltsc/TOC.md @@ -1,4 +1,4 @@ # [Windows 10 Enterprise LTSC](index.md) -## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md) -## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md) -## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) +## [What's new in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md) +## [What's new in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md) +## [What's new in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index b1464088fc..171020f940 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -22,31 +22,31 @@ ms.topic: article This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. -[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
        -[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
        -[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) +[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
        +[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
        +[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md) -## The Long Term Servicing Channel (LTSC) +## The Long-Term Servicing Channel (LTSC) The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. | LTSC release | Equivalent SAC release | Availability date | | --- | --- | --- | -| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | -| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | -| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | +| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | +| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | +| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 | >[!NOTE] ->The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. +>The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. >[!IMPORTANT] ->The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). +>The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). ## See Also [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
        -[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option. +[Windows 10 - Release information](https://docs.microsoft.com/windows/release-health/release-information): Windows 10 current versions by servicing option. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index aace786788..d0408f77d6 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,10 +1,10 @@ --- -title: What's new in Windows 10 Enterprise 2015 LTSC +title: What's new in Windows 10 Enterprise LTSC 2015 ms.reviewer: manager: laurawi ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,15 +14,15 @@ ms.localizationpriority: low ms.topic: article --- -# What's new in Windows 10 Enterprise 2015 LTSC +# What's new in Windows 10 Enterprise LTSC 2015 **Applies to** -- Windows 10 Enterprise 2015 LTSC +- Windows 10 Enterprise LTSC 2015 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] ->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). +>Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). ## Deployment @@ -280,7 +280,7 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279 - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security). +- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security). Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 37619d2d6f..3b3891912c 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,10 +1,10 @@ --- -title: What's new in Windows 10 Enterprise 2016 LTSC +title: What's new in Windows 10 Enterprise LTSC 2016 ms.reviewer: manager: laurawi ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,15 +14,15 @@ ms.localizationpriority: low ms.topic: article --- -# What's new in Windows 10 Enterprise 2016 LTSC +# What's new in Windows 10 Enterprise LTSC 2016 **Applies to** -- Windows 10 Enterprise 2016 LTSC +- Windows 10 Enterprise LTSC 2016 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] ->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. +>Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607. ## Deployment @@ -71,7 +71,7 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. -Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: +Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. @@ -124,11 +124,11 @@ Several new features and management options have been added to Windows Defender - [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. -### Windows Defender Advanced Threat Protection (ATP) +### Microsoft Defender for Endpoint -With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. -[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). ### VPN security diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 591f85814f..e74672c002 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,10 +1,10 @@ --- -title: What's new in Windows 10 Enterprise 2019 LTSC +title: What's new in Windows 10 Enterprise LTSC 2019 ms.reviewer: manager: laurawi ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,15 +13,15 @@ ms.localizationpriority: low ms.topic: article --- -# What's new in Windows 10 Enterprise 2019 LTSC +# What's new in Windows 10 Enterprise LTSC 2019 **Applies to** -- Windows 10 Enterprise 2019 LTSC +- Windows 10 Enterprise LTSC 2019 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] ->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. +>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: - Advanced protection against modern security threats @@ -44,11 +44,11 @@ This version of Window 10 includes security improvements for threat protection, ### Threat protection -#### Windows Defender ATP +#### Microsoft Defender for Endpoint -The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform includes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. +The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -![Windows Defender ATP](../images/wdatp.png) +![Microsoft Defender for Endpoint](../images/wdatp.png) ##### Attack surface reduction @@ -72,9 +72,9 @@ But these protections can also be configured separately. And, unlike HVCI, code ### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. - Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). + Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: - [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) @@ -85,7 +85,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus). - New features for Microsoft Defender AV in Windows 10 Enterprise 2019 LTSC include: + New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include: - [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) - [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) - [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) @@ -104,20 +104,20 @@ Endpoint detection and response is improved. Enterprise customers can now take a - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. Additional capabilities have been added to help you gain a holistic view on **investigations** include: -- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. -- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +- [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. -- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. +- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. - [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. @@ -127,15 +127,15 @@ We’re continuing to work on how other security apps you’ve installed show up This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) - [Ransomware security intelligence](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware) - [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) -Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) +Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). -For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). +For more information about features of Microsoft Defender for Endpoint available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). ### Information protection @@ -239,7 +239,7 @@ WSC now includes the Fluent Design System elements you know and love. You’ll a The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. #### Windows 10 in S mode @@ -251,7 +251,7 @@ We’ve continued to work on the **Current threats** area in [Virus & threat pr ### Windows Autopilot -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. @@ -265,7 +265,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett ### MBR2GPT.EXE -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. @@ -293,7 +293,7 @@ For more information, see [DISM operating system uninstall command-line options] You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. Prerequisites: -- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later. - Windows 10 Enterprise or Pro For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). @@ -332,7 +332,7 @@ SetupDiag works by searching Windows Setup log files. When searching log files, If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! **To enable fast sign-in:** -1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. 3. Sign-in to a shared PC with your account. You'll notice the difference! @@ -402,7 +402,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro ### Co-management -Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) @@ -428,7 +428,7 @@ The following new Group Policy and mobile device management (MDM) settings are a ### Start and taskbar layout -Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). [Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: @@ -467,7 +467,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m ### Optimize update delivery -With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. @@ -485,15 +485,15 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1 ### Uninstalled in-box apps no longer automatically reinstall -Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. +Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. -Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. +Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. ## Management ### New MDM capabilities -Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). +Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). Some of the other new CSPs are: @@ -519,17 +519,17 @@ Multiple new configuration items are also added. For more information, see [What ### Mobile application management support for Windows 10 -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise LTSC 2019. For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). ### MDM diagnostics -In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. +In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) @@ -546,7 +546,7 @@ Learn more about the diagnostic data that's collected at the Basic level and som ### Group Policy spreadsheet -Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. +Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019. - [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) @@ -579,9 +579,9 @@ Miracast over Infrastructure offers a number of benefits: Enabling Miracast over Infrastructure: -If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: +If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: -- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 6898dce476..d12e6a7145 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -326,7 +326,7 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279 - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security). +- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security). Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr). diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index f3e4867a56..c3ec4500b4 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -110,10 +110,11 @@ Several new features and management options have been added to Windows Defender - [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. -### Windows Defender Advanced Threat Protection (ATP) -With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. +### Microsoft Defender for Endpoint -[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). ## Management diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 9d74b2f7b8..4aec0eab76 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -18,7 +18,7 @@ ms.topic: article Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). -For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). +For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). >[!NOTE] >Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). @@ -96,9 +96,9 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). ## Security -### Windows Defender Advanced Threat Protection +### Microsoft Defender for Endpoint -New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include: +New features in Microsoft Defender for Endpoint for Windows 10, version 1703 include: - **Detection**
        Enhancements to the detection capabilities include: - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. @@ -107,12 +107,12 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed - **Investigation**
        - Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. + Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Microsoft Defender for Endpoint portal. Other capabilities have been added to help you gain a holistic view on investigations. Other investigation enhancements include: - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. - **Response**
        When detecting an attack, security response teams can now take immediate action to contain a breach: @@ -121,11 +121,11 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 - **Other features** - - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. + - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. -You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/). +You can read more about ransomware mitigations and detection capability in Microsoft Defender for Endpoint in the blog: [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/). -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787). +Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787). ### Microsoft Defender Antivirus Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). @@ -186,7 +186,7 @@ You can also now collect your audit event logs by using the Reporting configurat The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. ### Windows Insider for Business @@ -252,13 +252,13 @@ For more info, see [Implement server-side support for mobile application managem In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) -- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) +- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) ### Windows diagnostic data @@ -294,7 +294,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements: - OTC update tool - Continuum display management - Individually turn off the monitor or phone screen when not in use - - Indiviudally adjust screen time-out settings + - individually adjust screen time-out settings - Continuum docking solutions - Set Ethernet port properties - Set proxy properties for the Ethernet port diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 468c6ddce9..b33762e67f 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -85,9 +85,9 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c **Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). -### Windows Defender ATP +### Microsoft Defender for Endpoint -Windows Defender ATP has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Windows Defender Advanced Threat Protection Security analytics dashboard](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection). +Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection). ### Windows Defender Application Guard @@ -149,7 +149,7 @@ Several network stack enhancements are available in this release. Some of these [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
        [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
        [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
        -[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709. [Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
        diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 93bcfb411b..f18ad34787 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -173,7 +173,7 @@ The new [security baseline for Windows 10 version 1803](https://docs.microsoft.c ### Microsoft Defender Antivirus -Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). ### Windows Defender Exploit Guard @@ -181,15 +181,15 @@ Windows Defender Exploit Guard enhanced attack surface area reduction, extended For more information, see [Reduce attack surfaces](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction) -### Windows Defender ATP +### Microsoft Defender for Endpoint -[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: -- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) - [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) -Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) +Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) ### Windows Defender Application Guard @@ -233,5 +233,5 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu - [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features. - [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10. - [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware. -- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 309ce421df..f748bb87cf 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -133,32 +133,32 @@ Windows Defender Credential Guard has always been an optional feature, but Windo A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE). -### Windows Defender ATP +### Microsoft Defender for Endpoint -[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
        -Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
        With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
        -Windows Defender ATP adds support for this scenario by providing MSSP integration. +Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
        -Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
        +Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers. - [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
        -Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines. - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
        -Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
        -Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor +Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor ## Cloud Clipboard diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index aed8001e95..fbe745b3a6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update ## Servicing -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! - [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. @@ -66,7 +66,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update ### Windows Information Protection -With this release, Windows Defender ATP extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). +With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). ### Security configuration framework @@ -80,15 +80,15 @@ The draft release of the [security configuration baseline settings](https://blog [Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams. -### Microsoft Defender Advanced Threat Protection (ATP): +### Microsoft Defender for Endpoint - [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. - [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. -- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. + - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. +- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. -### Microsoft Defender ATP next-gen protection technologies: +### Microsoft Defender for Endpoint next-gen protection technologies: - **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. - **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 314e4d3826..7b71eef3d5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -32,7 +32,7 @@ If you are updating from an older version of Windows 10 (version 1809 or earlier ### Windows Server Update Services (WSUS) -Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). +Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 8c86914b6b..562b8ec51b 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -30,8 +30,11 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings ### Windows Hello - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. + - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. + - Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995). + - Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). ### Windows Defender System Guard @@ -52,7 +55,7 @@ Note: [Application Guard for Office](https://support.office.com/article/applicat ### Windows Setup -Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language ](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/). +Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/). Improvements in Windows Setup with this release also include: - Reduced offline time during feature updates @@ -84,7 +87,7 @@ Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/ ### Windows Assessment and Deployment Toolkit (ADK) -Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install). For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). @@ -120,8 +123,11 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym ### Windows Update for Business [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: + - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. + - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + - Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215). ## Networking @@ -185,9 +191,13 @@ Several enhancements to the Windows 10 user interface are implemented in this re ### Cortana [Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004: + - Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US. + - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users. + - Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms. + - Move the Cortana window: drag the Cortana window to a more convenient location on your desktop. For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020). @@ -202,7 +212,7 @@ You can now [rename your virtual desktops](https://docs.microsoft.com/windows-in ### Bluetooth pairing -Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985). +Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985). ### Reset this PC @@ -246,13 +256,13 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha ## See Also -[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
        -[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
        -[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
        -[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
        -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
        -[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
        -[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
        -[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
        -[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
        -[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
        + - [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
        + - [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
        + - [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
        + - [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
        + - [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
        + - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
        + - [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
        + - [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
        + - [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
        + - [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
        diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 8600af198f..ec7ffb671e 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -86,9 +86,9 @@ For more information about what's new in MDM, see [What's new in mobile device e ## Security -### Microsoft Defender Advanced Threat Protection (ATP) +### Microsoft Defender for Endpoint -This release includes improved support for non-ASCII file paths has been added for Microsoft Defender ATP Auto Incident Response (IR). +This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR). The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release. @@ -104,7 +104,7 @@ With specialized hardware and software components available on devices shipping ### Windows Sandbox -New polices for [Windows Sandbox](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowssandbox). +New policies for [Windows Sandbox](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowssandbox). ### Windows Virtual Desktop (WVD)

        Threat & Vulnerability Management

        Attack surface reduction

        Next-generation protection

        Endpoint detection and response

        Automated investigation and remediation

        Microsoft Threat Experts
        Threat & Vulnerability Management
        Threat & Vulnerability Management
        Attack surface reduction
        Attack surface reduction
        Next-generation protection
        Next-generation protection
        Endpoint detection and response
        Endpoint detection and response
        Automated investigation and remediation
        Automated investigation and remediation
        Microsoft Threat Experts
        Microsoft Threat Experts
        @@ -69,11 +74,11 @@ Microsoft Defender ATP uses the following combination of technology built into W

        ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] +>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0] > [!TIP] -> - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). -> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +> - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). @@ -88,7 +93,7 @@ The attack surface reduction set of capabilities provides the first line of defe **[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
        -To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. @@ -98,21 +103,21 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](automated-investigations.md)**
        -In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. **[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**
        -Microsoft Defender ATP includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. **[Microsoft Threat Experts](microsoft-threat-experts.md)**
        -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. >[!IMPORTANT] ->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.

        +>Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.

        >

        If you are not enrolled yet and would like to experience its benefits, go to Settings > General > Advanced features > Microsoft Threat Experts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. @@ -123,17 +128,18 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Integration with Microsoft solutions](threat-protection-integration.md)**
        - Microsoft Defender ATP directly integrates with various Microsoft solutions, including: -- Intune -- Office 365 ATP -- Azure ATP +Defender for Endpoint directly integrates with various Microsoft solutions, including: - Azure Security Center -- Skype for Business +- Azure Sentinel +- Intune - Microsoft Cloud App Security +- Microsoft Defender for Identity +- Microsoft Defender for Office +- Skype for Business -**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
        - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. +**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
        +With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. ## Related topic -[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection) +[Microsoft Defender for Endpoint helps detect sophisticated threats](https://www.microsoft.com/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md index 4b4a872950..5787716e3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Android -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,29 +15,35 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender Advanced Threat Protection for Android +# Microsoft Defender for Endpoint for Android [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +This topic describes how to install, configure, update, and use Defender for Endpoint for Android. > [!CAUTION] -> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors. +> Running other third-party endpoint protection products alongside Defender for Endpoint for Android is likely to cause performance problems and unpredictable system errors. -## How to install Microsoft Defender ATP for Android +## How to install Microsoft Defender for Endpoint for Android ### Prerequisites - **For end users** - - Microsoft Defender ATP license assigned to the end user(s) of the app. See [Microsoft Defender ATP licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements) + - Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements) - Intune Company Portal app can be downloaded from [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) @@ -57,7 +63,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend - Access to the Microsoft Defender Security Center portal. > [!NOTE] - > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender ATP for Android. Currently only enrolled devices are supported for enforcing Microsoft Defender ATP for Android related device compliance policies in Intune. + > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for Android. Currently only enrolled devices are supported for enforcing Defender for Endpoint for Android related device compliance policies in Intune. - Access [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the @@ -72,24 +78,24 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### Installation instructions -Microsoft Defender ATP for Android supports installation on both modes of +Microsoft Defender for Endpoint for Android supports installation on both modes of enrolled devices - the legacy Device Administrator and Android Enterprise modes. -**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.** +**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrolments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.** -Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM). -For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md). +Deployment of Microsoft Defender for Endpoint for Android is via Microsoft Intune (MDM). +For more information, see [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md). > [!NOTE] -> **Microsoft Defender ATP for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
        You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes. +> **Microsoft Defender for Endpoint for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
        You can connect to Google Play from Intune to deploy Microsoft Defender for Endpoint app, across Device Administrator and Android Enterprise entrollment modes. -## How to Configure Microsoft Defender ATP for Android +## How to Configure Microsoft Defender for Endpoint for Android -Guidance on how to configure Microsoft Defender ATP for Android features is available in [Configure Microsoft Defender ATP for Android features](android-configure.md). +Guidance on how to configure Microsoft Defender for Endpoint for Android features is available in [Configure Microsoft Defender for Endpoint for Android features](android-configure.md). ## Related topics -- [Deploy Microsoft Defender ATP for with Microsoft Intune](android-intune.md) -- [Configure Microsoft Defender ATP for Android features](android-configure.md) +- [Deploy Microsoft Defender for Endpoint for with Microsoft Intune](android-intune.md) +- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md deleted file mode 100644 index b5143827c8..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md +++ /dev/null @@ -1,92 +0,0 @@ ---- -title: Microsoft Defender ATP for iOS - Privacy information -ms.reviewer: -description: Describes privacy information for Microsoft Defender ATP for iOS -keywords: microsoft, defender, atp, ios, policy, overview -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual ---- - -# Privacy information - Microsoft Defender for Endpoint for iOS - -> [!NOTE] -> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** - -Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. - -For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). - -## Required data - -Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. - -Here is a list of the types of data being collected: - -### Web page or Network information - -- Connection information only when a malicious connection or web page is detected. - -- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. - -### Device and account information - -- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: - - - Wi-Fi adapter MAC address - - - Randomly generated globally unique identifier (GUID) - -- Tenant, Device and User information - - - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. - - - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. - - - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. - - - User Principal Name – Email ID of the user. - -### Product and service usage data - -The following information is collected only for Microsoft Defender for Endpoint app installed on the device. - -- App package info, including name, version, and app upgrade status. - -- Actions performed in the app. - -- Crash report logs generated by iOS. - -- Memory usage data. - -## Optional Data - -Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. - -Optional diagnostic data includes: - -- App, CPU, and network usage for Defender for Endpoint. - -- Features configured by the admin for Defender for Endpoint. - -Feedback Data is collected through in-app feedback provided by the user. - -- The user’s email address, if they choose to provide it. - -- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. - -For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement). - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md index 118ea48672..93f29b113b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for iOS overview -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for iOS keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,64 +15,70 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender Advanced Threat Protection for iOS +# Microsoft Defender for Endpoint for iOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -> [!IMPORTANT] -> **PUBLIC PREVIEW EDITION** -> -> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. -> -> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -The public preview of Microsoft Defender ATP for iOS will offer protection -against phishing and unsafe network connections from websites, emails, and apps. -All alerts will be available through a single pane of glass in the Microsoft -Defender Security Center. The portal gives security teams a centralized view of threats on +**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on iOS devices along with other platforms. +> [!CAUTION] +> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors. + ## Pre-requisites - **For End Users** -- Microsoft Defender ATP license assigned to the end user(s) of the app. Refer - [Assign licenses to - users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) - for instructions on how to assign licenses. +- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements). + +- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license. + - Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358). + - Note that Apple does not allow redirecting users to download other apps from the app store and hence this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app. + +- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign). **For Administrators** -- Access to the Microsoft Defender Security Center portal +- Access to the Microsoft Defender Security Center portal. -- Access to [Microsoft Endpoint Manager admin - center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app - to enrolled user groups in your organization + > [!NOTE] + > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune. + +- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization. **System Requirements** -- iOS devices running iOS 11.0 and above +- iOS devices running iOS 11.0 and above. -- Device is enrolled with Intune Company Portal - [app](https://apps.apple.com/us/app/intune-company-portal/id719171358) +- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358). + +> [!NOTE] +> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).** + +## Installation instructions + +Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported. +For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md). ## Resources -- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS) - -- Provide feedback through in-app feedback system or through [SecOps - portal](https://securitycenter.microsoft.com) +- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS). +- Provide feedback through in-app feedback system or through [SecOps portal](https://securitycenter.microsoft.com) ## Next steps -- [Deploy Microsoft Defender ATP for iOS](ios-install.md) -- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md) \ No newline at end of file +- [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md) +- [Configure Microsoft Defender for Endpoint for iOS features](ios-configure-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index b53befb8a7..b9232a219a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Linux -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Linux. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,44 +15,51 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender ATP for Linux +# Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint for Linux. > [!CAUTION] -> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors. +> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint for Linux is likely to cause performance problems and unpredictable system errors. -## How to install Microsoft Defender ATP for Linux +## How to install Microsoft Defender for Endpoint for Linux ### Prerequisites - Access to the Microsoft Defender Security Center portal +- Linux distribution using the [systemd](https://systemd.io/) system manager - Beginner-level experience in Linux and BASH scripting - Administrative privileges on the device (in case of manual deployment) ### Installation instructions -There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux. +There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint for Linux. In general you need to take the following steps: -- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md). -- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods: +- Ensure that you have a Microsoft Defender for Endpoint subscription, and that you have access to the [Microsoft Defender for Endpoint portal](microsoft-defender-security-center.md). +- Deploy Microsoft Defender for Endpoint for Linux using one of the following deployment methods: - The command-line tool: - [Manual deployment](linux-install-manually.md) - Third-party management tools: - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md) -If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md). +If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender for Endpoint for Linux](linux-support-install.md). ### System requirements @@ -68,7 +75,7 @@ If you experience any installation failures, refer to [Troubleshooting installat - Minimum kernel version 3.10.0-327 - The `fanotify` kernel option must be enabled > [!CAUTION] - > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. + > Running Defender for Endpoint for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. - Disk space: 1GB - The solution currently provides real-time protection for the following file system types: @@ -92,40 +99,41 @@ If you experience any installation failures, refer to [Troubleshooting installat After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. +- Audit framework (`auditd`) must be enabled. + >[!NOTE] + > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key. + ### Network connections The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them. - |**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)
        | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

        [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) - - +|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
        | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

        [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) > [!NOTE] > For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). -Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +Defender for Endpoint can discover a proxy server by using the following discovery methods: - Transparent proxy - Manual static proxy configuration -If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). +If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). > [!WARNING] > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. > -> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. -For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md). +For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux](linux-support-connectivity.md). -## How to update Microsoft Defender ATP for Linux +## How to update Microsoft Defender for Endpoint for Linux -Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md). +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint for Linux, refer to [Deploy updates for Microsoft Defender for Endpoint for Linux](linux-updates.md). -## How to configure Microsoft Defender ATP for Linux +## How to configure Microsoft Defender for Endpoint for Linux -Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). +Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md). ## Resources diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 4f2891c210..c9e657dcaf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Mac -ms.reviewer: +ms.reviewer: description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,43 +15,49 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender Advanced Threat Protection for Mac +# Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +This topic describes how to install, configure, update, and use Defender for Endpoint for Mac. > [!CAUTION] -> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode). +> Running other third-party endpoint protection products alongside Defender for Endpoint for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode). ## What’s new in the latest release -[What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md) +[What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md) -[What's new in Microsoft Defender ATP for Mac](mac-whatsnew.md) +[What's new in Microsoft Defender for Endpoint for Mac](mac-whatsnew.md) > [!TIP] -> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. +> If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**. -To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an "Insider" device. See [Enable Microsoft Defender ATP Insider Device](endpoint-detection-response-mac-preview.md). +To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device. -## How to install Microsoft Defender ATP for Mac +## How to install Microsoft Defender for Endpoint for Mac ### Prerequisites -- A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal +- A Defender for Endpoint subscription and access to the Microsoft Defender Security Center portal - Beginner-level experience in macOS and BASH scripting - Administrative privileges on the device (in case of manual deployment) ### Installation instructions -There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +There are several methods and deployment tools that you can use to install and configure Defender for Endpoint for Mac. - Third-party management tools: - [Microsoft Intune-based deployment](mac-install-with-intune.md) @@ -65,24 +71,30 @@ There are several methods and deployment tools that you can use to install and c The three most recent major releases of macOS are supported. -- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) +> [!IMPORTANT] +> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). + +> [!IMPORTANT] +> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021. + +- 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) - Disk space: 1GB -Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020. +Beta versions of macOS are not supported. After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. ### Licensing requirements -Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers: +Microsoft Defender for Endpoint for Mac requires one of the following Microsoft Volume Licensing offers: - Microsoft 365 E5 (M365 E5) - Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) > [!NOTE] -> Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. -> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. +> Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. +> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. ### Network connections @@ -92,11 +104,9 @@ The following downloadable spreadsheet lists the services and their associated U |**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)
        | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

        [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) +|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
        | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

        Download the spreadsheet here: [mdatp-urls.xlsx](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx). - - -Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods: - Proxy autoconfig (PAC) - Web Proxy Autodiscovery Protocol (WPAD) - Manual static proxy configuration @@ -106,7 +116,7 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t > [!WARNING] > Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. > -> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. @@ -125,25 +135,25 @@ The output from this command should be similar to the following: > [!CAUTION] > We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. -Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal: +Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal: ```bash -mdatp --connectivity-test +mdatp connectivity test ``` -## How to update Microsoft Defender ATP for Mac +## How to update Microsoft Defender for Endpoint for Mac -Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md). -## How to configure Microsoft Defender ATP for Mac +## How to configure Microsoft Defender for Endpoint for Mac -Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). +Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). ## macOS kernel and system extensions -In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details. +In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. For relevant details, see [What's new in Microsoft Defender for Endpoint for Mac](mac-whatsnew.md). ## Resources -- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page. +- For more information about logging, uninstalling, or other topics, see [Resources for Microsoft Defender for Endpoint for Mac](mac-resources.md). -- [Privacy for Microsoft Defender ATP for Mac](mac-privacy.md) +- [Privacy for Microsoft Defender for Endpoint for Mac](mac-privacy.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md index e04a02313b..610f3f8fb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md @@ -4,7 +4,7 @@ description: Microsoft Defender Security Center is the portal where you can acce keywords: windows, defender, security, center, defender, advanced, threat, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,17 +14,23 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender Security Center [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoint capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. ## In this section @@ -35,9 +41,8 @@ Get started | Learn about the minimum requirements, validate licensing and com [Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats. API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center. -Reporting | Create and build Power BI reports using Microsoft Defender ATP data. +Reporting | Create and build Power BI reports using Microsoft Defender for Endpoint data. Check service health and sensor state | Verify that the service is running and check the sensor state on devices. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. -[Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. -[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service. - +[Access the Microsoft Defender for Endpoint Community Center](community.md) | Access the Microsoft Defender for Endpoint Community Center to learn, collaborate, and share experiences about the product. +[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender for Endpoint service. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index 809d5b363d..30bc744eff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -1,11 +1,11 @@ --- -title: Microsoft Threat Experts +title: Microsoft Threat Experts ms.reviewer: description: Microsoft Threat Experts provides an additional layer of expertise to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts search.product: Windows 10 search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Threat Experts @@ -25,7 +26,11 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. @@ -40,7 +45,7 @@ Watch this video for a quick overview of Microsoft Threat Experts. > [!NOTE] > Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. -Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. +Microsoft Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Your 90-day Experts on Demand trial is free, and the Targeted Attack Notification at that time is still a paid service. You will only be billed for Experts on Demand engagements when you get a full subscription. Contact your Microsoft representative to get a full Experts on-Demand subscription. diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md index 308308a4d0..bda2c4c2d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md +++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md @@ -1,27 +1,33 @@ --- title: Migration guides to make the switch to Microsoft Defender for Endpoint description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint -search.appverid: MET150 +search.appverid: MET150 author: denisebmsft ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.prod: w10 +ms.prod: m365-security ms.localizationpriority: medium ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.custom: migrationguides ms.reviewer: chriggs, depicker, yongrhee -f1.keywords: NOCSH +f1.keywords: NOCSH ms.date: 09/24/2020 +ms.technology: mde --- # Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Migration guides @@ -29,8 +35,8 @@ If you're considering switching from a non-Microsoft threat protection solution |Scenario |Guidance | |:--|:--| -|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender ATP evaluation lab](evaluation-lab.md) | -|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender Advanced Threat Protection deployment guide](deployment-phases.md) | +|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) | +|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender for Endpoint deployment guide](deployment-phases.md) | |You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) | |You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md) | |You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) | diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 0f05ee52c8..13cbda189c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -1,10 +1,10 @@ --- -title: Minimum requirements for Microsoft Defender ATP +title: Minimum requirements for Microsoft Defender for Endpoint description: Understand the licensing requirements and requirements for onboarding devices to the service keywords: minimum requirements, licensing, comparison table search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,56 +15,65 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Minimum requirements for Microsoft Defender ATP +# Minimum requirements for Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. -> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink). - +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink). > [!TIP] -> - Learn about the latest enhancements in Microsoft Defender ATP: [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). -> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +> - Learn about the latest enhancements in Defender for Endpoint: [Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). +> - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements -Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +Microsoft Defender for Endpoint requires one of the following Microsoft volume licensing offers: - Windows 10 Enterprise E5 - Windows 10 Education A5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) +- Microsoft 365 E5 Security +- Microsoft 365 A5 Security +- Microsoft Defender for Endpoint > [!NOTE] -> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. -> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. +> Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. +> Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). - - -Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options: +Microsoft Defender for Endpoint for servers requires one of the following licensing options: - [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing) -- Microsoft Defender ATP for Servers (one per covered server) +- Microsoft Defender for Endpoint for Server (one per covered server) > [!NOTE] -> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux. +> Customers may acquire server licenses (one per covered server Operating System Environment (OSE)) for Microsoft Defender for Endpoint for Servers if they have a combined minimum of 50 licenses for one or more of the following user licenses: +> +> * Microsoft Defender for Endpoint +> * Windows E5/A5 +> * Microsoft 365 E5/A5 +> * Microsoft 365 E5/A5 Security -For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn the detailed terms and conditions for the product. +For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn more about the terms and conditions. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf). ## Browser requirements -Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: +Access to Defender for Endpoint is done through a browser, supporting the following browsers: + - Microsoft Edge - Internet Explorer version 11 - Google Chrome @@ -91,41 +100,42 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo - Windows Server 2016 - Windows Server, version 1803 or later - Windows Server 2019 +- Windows Virtual Desktop Devices on your network must be running one of these editions. -The hardware requirements for Microsoft Defender ATP on devices are the same for the supported editions. +The hardware requirements for Defender for Endpoint on devices are the same for the supported editions. > [!NOTE] -> Machines running mobile versions of Windows are not supported. +> Machines running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) are not supported. > -> Virtual Machines running Windows 10 Enterprise 2016 LTSB (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms. +> Virtual Machines running Windows 10 Enterprise 2016 LTSB may encounter performance issues if run on non-Microsoft virtualization platforms. > -> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later. +> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 or later. ### Other supported operating systems - Android -- Linux +- Linux - macOS > [!NOTE] -> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work. +> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Defender for Endpoint for the integration to work. ### Network and data storage and configuration requirements -When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. +When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] > - You cannot change your data storage location after the first-time setup. -> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. +> - Review the [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. ### Diagnostic data settings > [!NOTE] -> Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled. +> Microsoft Defender for Endpoint doesn't require any specific diagnostic level as long as it's enabled. Make sure that the diagnostic data service is enabled on all the devices in your organization. By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them. @@ -176,7 +186,7 @@ You'll need to set the service to automatically start if the **START_TYPE** is n #### Internet connectivity Internet connectivity on devices is required either directly or through proxy. -The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5 MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. +The Defender for Endpoint sensor can utilize a daily average bandwidth of 5 MB to communicate with the Defender for Endpoint cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md). @@ -184,26 +194,24 @@ Before you onboard devices, the diagnostic data service must be enabled. The ser ## Microsoft Defender Antivirus configuration requirement -The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them. +The Defender for Endpoint agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them. -Configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +Configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). -When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. +When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Defender for Endpoint service, Microsoft Defender Antivirus goes on passive mode. If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy. -If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. -For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). - ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Microsoft Defender ATP agent will successfully onboard. +If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). +If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md index 36d7f8db37..f7961db47d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md @@ -1,10 +1,10 @@ --- -title: Supported managed security service providers +title: Supported managed security service providers description: See the list of MSSPs that Microsoft Defender ATP integrates with keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,20 +13,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Supported managed security service providers **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +The following managed security service providers can be accessed through the portal. Logo |Partner name | Description :---|:---|:--- ![Image of BDO Digital logo](images/bdo-logo.png)| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection -![Image of BlueVoyant logo](images/bluevoyant-logo.png)| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender ATP provides support in monitoring, investigating, and mitigating advanced attacks on endpoints +![Image of BlueVoyant logo](images/bluevoyant-logo.png)| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender for Endpoint provides support in monitoring, investigating, and mitigating advanced attacks on endpoints ![Image of Cloud Security Center logo](images/cloudsecuritycenter-logo.png)| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities ![Image of Cloud SOC logo](images/cloudsoc-logo.png)| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture ![Image of CSIS Managed Detection & Response logo](images/csis-logo.png)| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place @@ -36,8 +42,9 @@ Logo |Partner name | Description ![Image of Red Canary logo](images/redcanary-logo.png)| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes ![Image of SecureWorks Managed Detection and Response Powered by Red Cloak logo](images/secureworks-logo.png)| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions ![Image of sepagoSOC logo](images/sepago-logo.png)| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment -![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Microsoft Defender ATP -![Image of Wortell's cloud SOC logo](images/wortell-logo.png)| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Microsoft Defender ATP service for monitoring & response +![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Defender for Endpoint +![Image of White Shark Managed Security Services](images/white-shark.png)| [White Shark Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2154210) |True expert approach to cyber security with transparent pricing on every platform, mobile included. +![Image of Wortell's cloud SOC logo](images/wortell-logo.png)| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Defender for Endpoint service for monitoring & response ![Image of Zero Trust Analytics Platform (ZTAP) logo](images/ztap-logo.png)| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index 6982d30ef4..5b69830dc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -4,7 +4,7 @@ description: Understand how Microsoft Defender ATP integrates with managed secur keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,28 +13,30 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Managed security service provider partnership opportunities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. -To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP. +To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Defender for Endpoint. -Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following actions: +Defender for Endpoint adds partnership opportunities for this scenario and allows MSSPs to take the following actions: - Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index eec4470439..065da4f483 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to bad sites description: Protect your network by preventing users from accessing known malicious and suspicious network addresses keywords: Network protection, exploits, malicious website, ip, domain, domains search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,21 +11,22 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 04/30/2019 ms.reviewer: manager: dansimp ms.custom: asr - +ms.technology: mde --- # Protect your network [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. @@ -33,12 +34,12 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr Network protection is supported beginning with Windows 10, version 1709. -For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. +For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Network protection works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. @@ -46,17 +47,22 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection. -Windows 10 version | Microsoft Defender Antivirus --|- -Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled +| Windows 10 version | Microsoft Defender Antivirus | +|:---|:---| +| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled | -## Review network protection events in the Microsoft Defender ATP Security Center +After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints. -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +- .smartscreen.microsoft.com +- .smartscreen-prod.microsoft.com -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled. +## Review network protection events in the Microsoft Defender for Endpoint Security Center + +Microsoft Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). + +You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled. Here is an example query @@ -71,18 +77,18 @@ You can review the Windows event log to see events that are created when network 1. [Copy the XML directly](event-views.md). -2. Click **OK**. +2. Select **OK**. 3. This will create a custom view that filters to only show the following events related to network protection: - Event ID | Description - -|- - 5007 | Event when settings are changed - 1125 | Event when network protection fires in audit mode - 1126 | Event when network protection fires in block mode + | Event ID | Description | + |:---|:---| + | 5007 | Event when settings are changed | + | 1125 | Event when network protection fires in audit mode | + | 1126 | Event when network protection fires in block mode | ## Related articles -- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. +- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created. - [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 54a1538ebe..1a62b95bac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -4,7 +4,7 @@ description: This new capability uses a game-changing risk-based approach to the keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: overview +ms.technology: mde --- # Threat and vulnerability management @@ -22,10 +23,11 @@ ms.topic: overview [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. @@ -43,11 +45,11 @@ Vulnerability management is the first solution in the industry to bridge the gap ### Real-time discovery -To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead. +To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Defender for Endpoint sensors to reduce cumbersome network scans and IT overhead. It also provides: -- **Real-time device inventory** - Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- **Real-time device inventory** - Devices onboarded to Defender for Endpoint automatically report and push vulnerability and security configuration data to the dashboard. - **Visibility into software and vulnerabilities** - Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. - **Application runtime context** - Visibility on application usage patterns for better prioritization and decision-making. - **Configuration posture** - Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. @@ -79,7 +81,7 @@ Watch this video for a comprehensive walk-through of threat and vulnerability ma Area | Description :---|:--- **Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. -[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. +[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Defender for Endpoint. [**Remediation**](tvm-remediation.md) | See remediation activities you've created and recommendation exceptions. [**Software inventory**](tvm-software-inventory.md) | See the list of vulnerable software in your organization, along with weakness and threat information. [**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures (CVEs) in your organization. @@ -91,7 +93,7 @@ Run threat and vulnerability management-related API calls to automate vulnerabil See the following articles for related APIs: -- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Machine APIs](machine.md) - [Recommendation APIs](vulnerability.md) - [Score APIs](score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md index 2de422a306..517c697b71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md @@ -3,7 +3,7 @@ title: Microsoft Defender ATP for non-Windows platforms description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms keywords: non windows, mac, macos, linux, android search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,23 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-evalutatemtp + - M365-security-compliance + - m365solution-evalutatemtp ms.topic: article +ms.technology: mde --- -# Microsoft Defender ATP for non-Windows platforms +# Microsoft Defender for Endpoint for non-Windows platforms [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + Microsoft has been on a journey to extend its industry leading endpoint security capabilities beyond Windows and Windows Server to macOS, Linux, Android, and soon iOS. @@ -36,44 +40,44 @@ have committed to building security solutions not just *for* Microsoft, but also heterogenous environments. We're listening to customer feedback and partnering closely with our customers to build solutions that meet their needs. -With Microsoft Defender ATP, customers benefit from a unified view of all +With Microsoft Defender for Endpoint, customers benefit from a unified view of all threats and alerts in the Microsoft Defender Security Center, across Windows and non-Windows platforms, enabling them to get a full picture of what's happening in their environment, which empowers them to more quickly assess and respond to threats. -## Microsoft Defender ATP for Mac +## Microsoft Defender for Endpoint on macOS -Microsoft Defender ATP for Mac offers AV and EDR capabilities for the three +Microsoft Defender for Endpoint on macOS offers antivirus and endpoint detection and response (EDR) capabilities for the three latest released versions of macOS. Customers can deploy and manage the solution through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft -Defender ATP for Mac updates. For information about the key features and +Defender for Endpoint on Mac updates. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS). -For more details on how to get started, visit the Microsoft Defender ATP for Mac +For more details on how to get started, visit the Defender for Endpoint on macOS [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). -## Microsoft Defender ATP for Linux +## Microsoft Defender for Endpoint on Linux -Microsoft Defender ATP for Linux offers preventative (AV) capabilities for Linux +Microsoft Defender for Endpoint on Linux offers preventative (AV) capabilities for Linux servers. This includes a full command line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft -Defender ATP for Linux can be deployed and configured using Puppet, Ansible, or +Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux). -For more details on how to get started, visit the Microsoft Defender ATP for +For more details on how to get started, visit the Microsoft Defender for Endpoint on Linux [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). -## Microsoft Defender ATP for Android +## Microsoft Defender for Endpoint on Android -Microsoft Defender ATP for Android is our mobile threat defense solution for +Microsoft Defender for Endpoint on Android is our mobile threat defense solution for devices running Android 6.0 and higher. Both Android Enterprise (Work Profile) and Device Administrator modes are supported. On Android, we offer web protection, which includes anti-phishing, blocking of unsafe connections, and @@ -83,28 +87,37 @@ through integration with Microsoft Endpoint Manager and Conditional Access. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android). -For more details on how to get started, visit the Microsoft Defender ATP for +For more details on how to get started, visit the Microsoft Defender for Endpoint on Android [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android). +## Microsoft Defender for Endpoint on iOS +Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices +running iOS 11.0 and higher. Both Supervised and Unsupervised devices are supported. +On iOS, we offer web protection which includes anti-phishing, blocking unsafe connections, and +setting custom indicators. For more information about the key features and benefits, +read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS). + +For more details on how to get started, visit the Microsoft Defender for Endpoint +on iOS [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios). ## Licensing requirements -Eligible Licensed Users may use Microsoft Defender ATP on up to five concurrent -devices. Microsoft Defender ATP is also available for purchase from a Cloud +Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five concurrent +devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). -Customers can obtain Microsoft Defender ATP for Mac through a standalone -Microsoft Defender ATP license, as part of Microsoft 365 A5/E5, or Microsoft 365 +Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone +Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365 Security. -Recently announced capabilities of Microsoft Defender ATP for Android and soon -iOS are included in the above mentioned offers as part of the five qualified +Recently announced capabilities of Microsoft Defender for Endpoint for Android and iOS +are included in the above mentioned offers as part of the five qualified devices for eligible licensed users. -Microsoft Defender ATP for Linux is available through the Microsoft Defender ATP -for Server SKU that is available for both commercial and education customers. +Defender for Endpoint on Linux is available through the Defender for Endpoint +Server SKU that is available for both commercial and education customers. Please contact your account team or CSP for pricing and additional eligibility requirements. diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 19496bd97c..a994c90a5b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -3,7 +3,7 @@ title: Offboard machine API description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP). keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,22 +12,30 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Offboard machine API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description -Offboard device from Microsoft Defender ATP. +Offboard device from Defender for Endpoint. ## Limitations @@ -41,7 +49,7 @@ Offboard device from Microsoft Defender ATP. > This API is not supported on MacOS or Linux devices. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -55,7 +63,7 @@ Delegated (work or school account) | Machine.Offboard | 'Offboard machine' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/offboard +POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard ``` ## Request headers @@ -82,11 +90,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard ``` -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard -Content-type: application/json + +```json { "Comment": "Offboard machine by automation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 7d9a09d143..aba249ebca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices, servers, non-Windows devices from the M keywords: offboarding, microsoft defender advanced threat protection offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,11 +13,12 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Offboard devices from the Microsoft Defender ATP service +# Offboard devices from the Microsoft Defender for Endpoint service [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -27,13 +28,22 @@ ms.topic: conceptual - Linux - Windows Server 2012 R2 - Windows Server 2016 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink) Follow the corresponding instructions depending on your preferred deployment method. +>[!NOTE] +> The status of a device will be switched to [Inactive](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
        +> Offboarded devices' data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) expires.
        +> The device's profile (without data) will remain in the [Devices List](machines-view-overview.md) for no longer than 180 days. +> In addition, devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management [exposure score](tvm-exposure-score.md) and Microsoft Secure Score for Devices.
        +> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state), [device tags](machine-tags.md) or [machine groups](machine-groups.md). + ## Offboard Windows 10 devices - [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script) - [Offboard devices using Group Policy](configure-endpoints-gp.md#offboard-devices-using-group-policy) @@ -45,7 +55,3 @@ Follow the corresponding instructions depending on your preferred deployment met ## Offboard non-Windows devices - [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices) ->[!NOTE] -> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
        -> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md)
        -> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state) or by [device tags](machine-tags.md) and [groups](machine-groups.md) etc. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index dab5b79f99..707d4681f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices, servers, non-Windows devices and learn keywords: onboarding, microsoft defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,28 +13,29 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Onboard devices to the Microsoft Defender ATP service +# Onboard devices to the Microsoft Defender for Endpoint service [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) [!include[Prerelease information](../../includes/prerelease.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device. +You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device. In general, to onboard devices to the service: - Verify that the device fulfills the [minimum requirements](minimum-requirements.md) -- Depending on the device, follow the configuration steps provided in the onboarding section of the Microsoft Defender ATP portal +- Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal - Use the appropriate management tool and deployment method for your devices - Run a detection test to verify that the devices are properly onboarded and reporting to the service @@ -57,15 +58,15 @@ The following table lists the available tools based on the endpoint that you nee ## In this section Topic | Description :---|:--- -[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Microsoft Defender ATP. -[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure devices in your enterprise. -[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP -[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. -[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service. -[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings. +[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Defender for Endpoint. +[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Defender for Endpoint service. Learn about the tools and methods you can use to configure devices in your enterprise. +[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Defender for Endpoint +[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service. +[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Defender for Endpoint cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index ca403709b0..015e66faac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -4,7 +4,7 @@ description: Onboard supported previous versions of Windows devices so that they keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard previous versions of Windows @@ -28,32 +29,33 @@ ms.topic: article - Windows 7 SP1 Pro - Windows 8.1 Pro - Windows 8.1 Enterprise -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink). +>Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink). -Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. +Defender for Endpoint extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. -To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to: +To onboard down-level Windows client endpoints to Defender for Endpoint, you'll need to: - Configure and update System Center Endpoint Protection clients. -- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below. +- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Defender for Endpoint as instructed below. > [!TIP] -> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md). ## Configure and update System Center Endpoint Protection clients > [!IMPORTANT] > This step is required only if your organization uses System Center Endpoint Protection (SCEP). -Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Defender for Endpoint integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting - Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud) -## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint ### Before you begin Review the following details to verify minimum system requirements: @@ -77,14 +79,18 @@ Review the following details to verify minimum system requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). 2. Obtain the workspace ID: - - In the Microsoft Defender ATP navigation pane, select **Settings > Device management > Onboarding** + - In the Defender for Endpoint navigation pane, select **Settings > Device management > Onboarding** - Select **Windows 7 SP1 and 8.1** as the operating system - Copy the workspace ID and workspace key 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent: - - Manually install the agent using setup
        + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
        On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)** - - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script) + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). + + > [!NOTE] + > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. 4. If you're using a proxy to connect to the Internet see the Configure proxy settings section. @@ -93,10 +99,10 @@ Once completed, you should see onboarded endpoints in the portal within an hour. ### Configure proxy and Internet connectivity settings - Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Defender for Endpoint service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). ## Offboard client endpoints -To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP. +To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint. -> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink). +> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink). diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index 41098d9b2e..f8f4833fc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -1,11 +1,11 @@ --- -title: Onboard devices without Internet access to Microsoft Defender ATP +title: Onboard devices without Internet access to Microsoft Defender for Endpoint ms.reviewer: description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,17 +14,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Onboard devices without Internet access to Microsoft Defender ATP +# Onboard devices without Internet access to Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + To onboard devices without Internet access, you'll need to take the following general steps: @@ -47,25 +52,25 @@ For more information about onboarding methods, see the following articles: - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) - - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Microsoft Defender ATP Workspace key & ID + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID - Offline devices in the same network of Azure Log Analytics - Configure MMA to point to: - Azure Log Analytics IP as a proxy - - Microsoft Defender ATP workspace key & ID + - Defender for Endpoint workspace key & ID ## Azure virtual machines - Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway) - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) - - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Microsoft Defender ATP Workspace key & ID + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Defender for Endpoint Workspace key & ID - Offline Azure VMs in the same network of OMS Gateway - Configure Azure Log Analytics IP as a proxy - Azure Log Analytics Workspace Key & ID - Azure Security Center (ASC) - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) - - [Threat Detection \> Allow Microsoft Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + - [Threat Detection \> Allow Defender for Endpoint to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy). diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index 78edeae3ef..e38231a50b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -5,7 +5,7 @@ description: Configure and manage Microsoft Defender ATP capabilities such as at keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Configure and manage Microsoft Defender ATP capabilities +# Configure and manage Microsoft Defender for Endpoint capabilities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Configure and manage all the Microsoft Defender ATP capabilities to get the best security protection for your organization. + +Configure and manage all the Defender for Endpoint capabilities to get the best security protection for your organization. ## In this section @@ -35,7 +39,7 @@ Topic | Description [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. [Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. -[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. +[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Defender for Endpoint. [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal-related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md index 7435ab66b6..cfac9fcfd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md @@ -1,9 +1,9 @@ --- -title: Onboarding using Microsoft Endpoint Configuration Manager -description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager -keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction +title: Onboarding using Microsoft Endpoint Configuration Manager +description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Configuration Manager +keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint configuration manager search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,33 +13,48 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario ms.topic: article +ms.technology: mde --- -# Onboarding using Microsoft Endpoint Configuration Manager +# Onboarding using Microsoft Endpoint Configuration Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -This article is part of the Deployment guide and acts as an example onboarding method that guides users in: +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +This article is part of the Deployment guide and acts as an example onboarding method. + +In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the co-management architecture. + +![Image of cloud-native architecture](images/co-management-architecture.png) +*Diagram of environment architectures* + + +While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). + + + +This topic guides users in: - Step 1: Onboarding Windows devices to the service -- Step 2: Configuring Microsoft Defender ATP capabilities +- Step 2: Configuring Defender for Endpoint capabilities This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Configuration Manager: - **Creating a collection in Microsoft Endpoint Configuration Manager** -- **Configuring Microsoft Defender ATP capabilities using Microsoft Endpoint Configuration Manager** +- **Configuring Microsoft Defender for Endpoint capabilities using Microsoft Endpoint Configuration Manager** >[!NOTE] >Only Windows devices are covered in this example deployment. -While Microsoft Defender ATP supports onboarding of various endpoints and tools, this article does not cover them. -For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). ## Step 1: Onboard Windows devices using Microsoft Endpoint Configuration Manager @@ -63,44 +78,45 @@ Follow the steps below to onboard endpoints using Microsoft Endpoint Configurati 1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png) + ![Image of Microsoft Endpoint Configuration Manager wizard1](images/configmgr-device-collections.png) 2. Right Click **Device Collection** and select **Create Device Collection**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard2](images/configmgr-create-device-collection.png) 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard3](images/configmgr-limiting-collection.png) 4. Select **Add Rule** and choose **Query Rule**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png) + ![Image of Microsoft Endpoint Configuration Manager wizard4](images/configmgr-query-rule.png) 5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png) + ![Image of Microsoft Endpoint Configuration Manager wizard5](images/configmgr-direct-membership.png) 6. Select **Criteria** and then choose the star icon. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png) + ![Image of Microsoft Endpoint Configuration Manager wizard6](images/configmgr-criteria.png) 7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png) + ![Image of Microsoft Endpoint Configuration Manager wizard7](images/configmgr-simple-value.png) 8. Select **Next** and **Close**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png) + ![Image of Microsoft Endpoint Configuration Manager wizard8](images/configmgr-membership-rules.png) 9. Select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png) + ![Image of Microsoft Endpoint Configuration Manager wizard9](images/configmgr-confirm.png) + After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. -## Step 2: Configure Microsoft Defender ATP capabilities +## Step 2: Configure Microsoft Defender for Endpoint capabilities This section guides you in configuring the following capabilities using Microsoft Endpoint Configuration Manager on Windows devices: - [**Endpoint detection and response**](#endpoint-detection-and-response) @@ -120,22 +136,23 @@ Manager and deploy that policy to Windows 10 devices. 2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. - ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png) + ![Image of Microsoft Defender for Endpoint onboarding wizard10](images/mdatp-onboarding-wizard.png) 3. Select **Download package**. - ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png) + ![Image of Microsoft Defender for Endpoint onboarding wizard11](images/mdatp-download-package.png) 4. Save the package to an accessible location. 5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png) + ![Image of Microsoft Endpoint Configuration Manager wizard12](images/configmgr-create-policy.png) 7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png) + ![Image of Microsoft Endpoint Configuration Manager wizard13](images/configmgr-policy-name.png) + 8. Click **Browse**. @@ -144,29 +161,29 @@ Manager and deploy that policy to Windows 10 devices. 10. Click **Next**. 11. Configure the Agent with the appropriate samples (**None** or **All file types**). - ![Image of configuration settings](images/configmgr-config-settings.png) + ![Image of configuration settings1](images/configmgr-config-settings.png) 12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. - ![Image of configuration settings](images/configmgr-telemetry.png) + ![Image of configuration settings2](images/configmgr-telemetry.png) 14. Verify the configuration, then click **Next**. - ![Image of configuration settings](images/configmgr-verify-configuration.png) + ![Image of configuration settings3](images/configmgr-verify-configuration.png) 15. Click **Close** when the Wizard completes. -16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. +16. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select **Deploy**. - ![Image of configuration settings](images/configmgr-deploy.png) + ![Image of configuration settings4](images/configmgr-deploy.png) 17. On the right panel, select the previously created collection and click **OK**. - ![Image of configuration settings](images/configmgr-select-collection.png) + ![Image of configuration settings5](images/configmgr-select-collection.png) #### Previous versions of Windows Client (Windows 7 and Windows 8.1) -Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. +Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. 1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. @@ -225,7 +242,7 @@ Microsoft Defender Antivirus is a built-in antimalware solution that provides ne 2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. - ![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png) + ![Image of next generation protection pane1](images/1566ad81bae3d714cc9e0d47575a8cbd.png) In certain industries or some select enterprise customers might have specific needs on how Antivirus is configured. @@ -235,36 +252,35 @@ needs on how Antivirus is configured. For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) - - ![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png) + ![Image of next generation protection pane2](images/cd7daeb392ad5a36f2d3a15d650f1e96.png) - ![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png) + ![Image of next generation protection pane3](images/36c7c2ed737f2f4b54918a4f20791d4b.png) - ![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png) + ![Image of next generation protection pane4](images/a28afc02c1940d5220b233640364970c.png) - ![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png) + ![Image of next generation protection pane5](images/5420a8790c550f39f189830775a6d4c9.png) - ![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png) + ![Image of next generation protection pane6](images/33f08a38f2f4dd12a364f8eac95e8c6b.png) - ![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png) + ![Image of next generation protection pane7](images/41b9a023bc96364062c2041a8f5c344e.png) - ![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png) + ![Image of next generation protection pane8](images/945c9c5d66797037c3caeaa5c19f135c.png) - ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png) + ![Image of next generation protection pane9](images/3876ca687391bfc0ce215d221c683970.png) 3. Right-click on the newly created antimalware policy and select **Deploy**. - ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png) + ![Image of next generation protection pane10](images/f5508317cd8c7870627cb4726acd5f3d.png) 4. Target the new antimalware policy to your Windows 10 collection and click **OK**. - ![Image of next generation protection pane](images/configmgr-select-collection.png) + ![Image of next generation protection pane11](images/configmgr-select-collection.png) After completing this task, you now have successfully configured Windows Defender Antivirus. ### Attack surface reduction -The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit +The attack surface reduction pillar of Defender for Endpoint includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit Protection. All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. @@ -273,34 +289,35 @@ To set ASR rules in Audit mode: 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - ![Image of Microsoft Endpoint Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png) - + ![Image of Microsoft Endpoint Configuration Manager console0](images/728c10ef26042bbdbcd270b6343f1a8a.png) 2. Select **Attack Surface Reduction**. 3. Set rules to **Audit** and click **Next**. - ![Image of Microsoft Endpoint Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png) + + ![Image of Microsoft Endpoint Configuration Manager console1](images/d18e40c9e60aecf1f9a93065cb7567bd.png) 4. Confirm the new Exploit Guard policy by clicking on **Next**. - ![Image of Microsoft Endpoint Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png) + ![Image of Microsoft Endpoint Configuration Manager console2](images/0a6536f2c4024c08709cac8fcf800060.png) 5. Once the policy is created click **Close**. - ![Image of Microsoft Endpoint Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png) + ![Image of Microsoft Endpoint Configuration Manager console3](images/95d23a07c2c8bc79176788f28cef7557.png) - + ![Image of Microsoft Endpoint Manager console1](images/95d23a07c2c8bc79176788f28cef7557.png) + 6. Right-click on the newly created policy and choose **Deploy**. - ![Image of Microsoft Endpoint Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png) + ![Image of Microsoft Endpoint Configuration Manager console4](images/8999dd697e3b495c04eb911f8b68a1ef.png) 7. Target the policy to the newly created Windows 10 collection and click **OK**. - ![Image of Microsoft Endpoint Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png) + ![Image of Microsoft Endpoint Configuration Manager console5](images/0ccfe3e803be4b56c668b220b51da7f7.png) After completing this task, you now have successfully configured ASR rules in audit mode. @@ -318,11 +335,11 @@ endpoints. (This may take few minutes) 4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices. - ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png) + ![A screenshot of attack surface reduction rules reports1](images/f91f406e6e0aae197a947d3b0e8b2d0d.png) 5. Click each device shows configuration details of ASR rules. - ![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png) + ![A screenshot of attack surface reduction rules reports2](images/24bfb16ed561cbb468bd8ce51130ca9d.png) See [Optimize ASR rule deployment and detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details. @@ -331,29 +348,31 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros #### Set Network Protection rules in Audit mode: 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - ![A screenshot System Center Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) + ![A screenshot System Center Configuration Manager1](images/728c10ef26042bbdbcd270b6343f1a8a.png) 2. Select **Network protection**. 3. Set the setting to **Audit** and click **Next**. - ![A screenshot System Center Confirugatiom Manager](images/c039b2e05dba1ade6fb4512456380c9f.png) + ![A screenshot System Center Confirugatiom Manager2](images/c039b2e05dba1ade6fb4512456380c9f.png) 4. Confirm the new Exploit Guard Policy by clicking **Next**. - ![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png) + ![A screenshot Exploit GUard policy1](images/0a6536f2c4024c08709cac8fcf800060.png) 5. Once the policy is created click on **Close**. - ![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png) + ![A screenshot Exploit GUard policy2](images/95d23a07c2c8bc79176788f28cef7557.png) 6. Right-click on the newly created policy and choose **Deploy**. - ![A screenshot Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png) + ![A screenshot Microsoft Endpoint Configuration Manager1](images/8999dd697e3b495c04eb911f8b68a1ef.png) 7. Select the policy to the newly created Windows 10 collection and choose **OK**. - ![A screenshot Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png) + ![A screenshot Microsoft Endpoint Configuration Manager2](images/0ccfe3e803be4b56c668b220b51da7f7.png) + + After completing this task, you now have successfully configured Network Protection in audit mode. @@ -362,29 +381,29 @@ Protection in audit mode. 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - ![A screenshot of Microsoft Endpoint Configuration Manager ](images/728c10ef26042bbdbcd270b6343f1a8a.png) + ![A screenshot of Microsoft Endpoint Configuration Manager3](images/728c10ef26042bbdbcd270b6343f1a8a.png) 2. Select **Controlled folder access**. 3. Set the configuration to **Audit** and click **Next**. - ![A screenshot of Microsoft Endpoint Configuration Manager ](images/a8b934dab2dbba289cf64fe30e0e8aa4.png) + ![A screenshot of Microsoft Endpoint Configuration Manager4](images/a8b934dab2dbba289cf64fe30e0e8aa4.png) 4. Confirm the new Exploit Guard Policy by clicking on **Next**. - ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0a6536f2c4024c08709cac8fcf800060.png) + ![A screenshot of Microsoft Endpoint Configuration Manager5](images/0a6536f2c4024c08709cac8fcf800060.png) 5. Once the policy is created click on **Close**. - ![A screenshot of Microsoft Endpoint Configuration Manager ](images/95d23a07c2c8bc79176788f28cef7557.png) + ![A screenshot of Microsoft Endpoint Configuration Manager6](images/95d23a07c2c8bc79176788f28cef7557.png) 6. Right-click on the newly created policy and choose **Deploy**. - ![A screenshot of Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png) + ![A screenshot of Microsoft Endpoint Configuration Manager7](images/8999dd697e3b495c04eb911f8b68a1ef.png) 7. Target the policy to the newly created Windows 10 collection and click **OK**. - ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png) + ![A screenshot of Microsoft Endpoint Configuration Manager8](images/0ccfe3e803be4b56c668b220b51da7f7.png) You have now successfully configured Controlled folder access in audit mode. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md index 29548856da..b7d42d9142 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md @@ -1,9 +1,9 @@ --- -title: Onboarding using Microsoft Endpoint Manager -description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Manager -keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction +title: Onboarding using Microsoft Endpoint Manager +description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Manager +keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint manager search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,25 +13,40 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario ms.topic: article +ms.technology: mde --- -# Onboarding using Microsoft Endpoint Manager +# Onboarding using Microsoft Endpoint Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +This article is part of the Deployment guide and acts as an example onboarding method. + +In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the cloud-native architecture. + +![Image of cloud-native architecture](images/cloud-native-architecture.png) +*Diagram of environment architectures* + +While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). -This article is part of the Deployment guide and acts as an example onboarding method that guides users in: +[Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) is a solution platform that unifies several services. It includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) for cloud-based device management. + + +This topic guides users in: - Step 1: Onboarding devices to the service by creating a group in Microsoft Endpoint Manager (MEM) to assign configurations on -- Step 2: Configuring Microsoft Defender ATP capabilities using Microsoft Endpoint Manager +- Step 2: Configuring Defender for Endpoint capabilities using Microsoft Endpoint Manager This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Manager: @@ -39,13 +54,13 @@ This onboarding guidance will walk you through the following basic steps that yo - Creating an Azure Active Directory group (User or Device) -- [Creating a Configuration Profile](#step-2-create-configuration-policies-to-configure-microsoft-defender-atp-capabilities) +- [Creating a Configuration Profile](#step-2-create-configuration-policies-to-configure-microsoft-defender-for-endpoint-capabilities) - In Microsoft Endpoint Manager, we'll guide you in creating a separate policy for each capability. -While Microsoft Defender ATP supports onboarding of various endpoints and tools, this article does not cover them. -For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). + + ## Resources @@ -80,12 +95,12 @@ needs.
        2. Open **Groups > New Group**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/66f724598d9c3319cba27f79dd4617a4.png) + > ![Image of Microsoft Endpoint Manager portal1](images/66f724598d9c3319cba27f79dd4617a4.png) 3. Enter details and create a new group. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/b1e0206d675ad07db218b63cd9b9abc3.png) + > ![Image of Microsoft Endpoint Manager portal2](images/b1e0206d675ad07db218b63cd9b9abc3.png) 4. Add your test user or device. @@ -96,20 +111,21 @@ needs.
        7. Find your test user or device and select it. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/149cbfdf221cdbde8159d0ab72644cd0.png) + > ![Image of Microsoft Endpoint Manager portal3](images/149cbfdf221cdbde8159d0ab72644cd0.png) 8. Your testing group now has a member to test. -## Step 2: Create configuration policies to configure Microsoft Defender ATP capabilities +## Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities In the following section, you'll create a number of configuration policies. First is a configuration policy to select which groups of users or devices will -be onboarded to Microsoft Defender ATP. +be onboarded to Defender for Endpoint: + +- [Endpoint detection and response](#endpoint-detection-and-response) Then you will continue by creating several -different types of endpoint security policies. +different types of endpoint security policies: -- [Endpoint detection and response](#endpoint-detection-and-response) - [Next-generation protection](#next-generation-protection) - [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules) @@ -121,7 +137,7 @@ different types of endpoint security policies. on **Create Profile**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/58dcd48811147feb4ddc17212b7fe840.png) + > ![Image of Microsoft Endpoint Manager portal4](images/58dcd48811147feb4ddc17212b7fe840.png) 3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection and response > Create**. @@ -129,39 +145,39 @@ different types of endpoint security policies. 4. Enter a name and description, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/a5b2d23bdd50b160fef4afd25dda28d4.png) + > ![Image of Microsoft Endpoint Manager portal5](images/a5b2d23bdd50b160fef4afd25dda28d4.png) 5. Select settings as required, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/cea7e288b5d42a9baf1aef0754ade910.png) + > ![Image of Microsoft Endpoint Manager portal6](images/cea7e288b5d42a9baf1aef0754ade910.png) > [!NOTE] - > In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). + > In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender for Endpoint in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). > - > The following image is an example of what you'll see when Microsoft Defender ATP is NOT integrated with Intune: + > The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune: > - > ![Image of Microsoft Endpoint Manager portal](images/2466460812371ffae2d19a10c347d6f4.png) + > ![Image of Microsoft Endpoint Manager portal7](images/2466460812371ffae2d19a10c347d6f4.png) 6. Add scope tags if necessary, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/ef844f52ec2c0d737ce793f68b5e8408.png) + > ![Image of Microsoft Endpoint Manager portal8](images/ef844f52ec2c0d737ce793f68b5e8408.png) 7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/fc3525e20752da026ec9f46ab4fec64f.png) + > ![Image of Microsoft Endpoint Manager portal9](images/fc3525e20752da026ec9f46ab4fec64f.png) 8. Review and accept, then select **Create**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/289172dbd7bd34d55d24810d9d4d8158.png) + > ![Image of Microsoft Endpoint Manager portal10](images/289172dbd7bd34d55d24810d9d4d8158.png) 9. You can view your completed policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/5a568b6878be8243ea2b9d82d41ed297.png) + > ![Image of Microsoft Endpoint Manager portal11](images/5a568b6878be8243ea2b9d82d41ed297.png) ### Next-generation protection @@ -170,7 +186,7 @@ different types of endpoint security policies. 2. Navigate to **Endpoint security > Antivirus > Create Policy**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/6b728d6e0d71108d768e368b416ff8ba.png) + > ![Image of Microsoft Endpoint Manager portal12](images/6b728d6e0d71108d768e368b416ff8ba.png) 3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft Defender Antivirus > Create**. @@ -178,34 +194,34 @@ different types of endpoint security policies. 4. Enter name and description, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/a7d738dd4509d65407b7d12beaa3e917.png) + > ![Image of Microsoft Endpoint Manager portal13](images/a7d738dd4509d65407b7d12beaa3e917.png) 5. In the **Configuration settings page**: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation). > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/3840b1576d6f79a1d72eb14760ef5e8c.png) + > ![Image of Microsoft Endpoint Manager portal14](images/3840b1576d6f79a1d72eb14760ef5e8c.png) 6. Add scope tags if necessary, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/2055e4f9b9141525c0eb681e7ba19381.png) + > ![Image of Microsoft Endpoint Manager portal15](images/2055e4f9b9141525c0eb681e7ba19381.png) 7. Select groups to include, assign to your test group, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/48318a51adee06bff3908e8ad4944dc9.png) + > ![Image of Microsoft Endpoint Manager portal16](images/48318a51adee06bff3908e8ad4944dc9.png) 8. Review and create, then select **Create**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/dfdadab79112d61bd3693d957084b0ec.png) + > ![Image of Microsoft Endpoint Manager portal17](images/dfdadab79112d61bd3693d957084b0ec.png) 9. You'll see the configuration policy you created. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/38180219e632d6e4ec7bd25a46398da8.png) + > ![Image of Microsoft Endpoint Manager portal18](images/38180219e632d6e4ec7bd25a46398da8.png) ### Attack Surface Reduction – Attack surface reduction rules @@ -219,12 +235,12 @@ different types of endpoint security policies. rules > Create**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/522d9bb4288dc9c1a957392b51384fdd.png) + > ![Image of Microsoft Endpoint Manager portal19](images/522d9bb4288dc9c1a957392b51384fdd.png) 5. Enter a name and description, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png) + > ![Image of Microsoft Endpoint Manager portal20](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png) 6. In the **Configuration settings page**: Set the configurations you require for Attack surface reduction rules, then select **Next**. @@ -235,27 +251,27 @@ different types of endpoint security policies. > For more information, see [Attack surface reduction rules](attack-surface-reduction.md). > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/dd0c00efe615a64a4a368f54257777d0.png) + > ![Image of Microsoft Endpoint Manager portal21](images/dd0c00efe615a64a4a368f54257777d0.png) 7. Add Scope Tags as required, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png) + > ![Image of Microsoft Endpoint Manager portal22](images/6daa8d347c98fe94a0d9c22797ff6f28.png) 8. Select groups to include and assign to test group, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png) + > ![Image of Microsoft Endpoint Manager portal23](images/45cefc8e4e474321b4d47b4626346597.png) 9. Review the details, then select **Create**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/2c2e87c5fedc87eba17be0cdeffdb17f.png) + > ![Image of Microsoft Endpoint Manager portal24](images/2c2e87c5fedc87eba17be0cdeffdb17f.png) 10. View the policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/7a631d17cc42500dacad4e995823ffef.png) + > ![Image of Microsoft Endpoint Manager portal25](images/7a631d17cc42500dacad4e995823ffef.png) ### Attack Surface Reduction – Web Protection @@ -268,12 +284,12 @@ different types of endpoint security policies. 4. Select **Windows 10 and Later – Web protection > Create**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png) + > ![Image of Microsoft Endpoint Manager portal26](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png) 5. Enter a name and description, then select **Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/5be573a60cd4fa56a86a6668b62dd808.png) + > ![Image of Microsoft Endpoint Manager portal27](images/5be573a60cd4fa56a86a6668b62dd808.png) 6. In the **Configuration settings page**: Set the configurations you require for Web Protection, then select **Next**. @@ -284,27 +300,27 @@ different types of endpoint security policies. > For more information, see [Web Protection](web-protection-overview.md). > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/6104aa33a56fab750cf30ecabef9f5b6.png) + > ![Image of Microsoft Endpoint Manager portal28](images/6104aa33a56fab750cf30ecabef9f5b6.png) 7. Add **Scope Tags as required > Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png) + > ![Image of Microsoft Endpoint Manager portal29](images/6daa8d347c98fe94a0d9c22797ff6f28.png) 8. Select **Assign to test group > Next**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png) + > ![Image of Microsoft Endpoint Manager portal30](images/45cefc8e4e474321b4d47b4626346597.png) 9. Select **Review and Create > Create**. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png) + > ![Image of Microsoft Endpoint Manager portal31](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png) 10. View the policy. > [!div class="mx-imgBorder"] - > ![Image of Microsoft Endpoint Manager portal](images/e74f6f6c150d017a286e6ed3dffb7757.png) + > ![Image of Microsoft Endpoint Manager portal32](images/e74f6f6c150d017a286e6ed3dffb7757.png) ## Validate configuration settings @@ -322,22 +338,22 @@ To confirm that the configuration policy has been applied to your test device, f steps above. The following example shows the next generation protection settings. > [!div class="mx-imgBorder"] - > [ ![Image of Microsoft Endpoint Manager portal](images/43ab6aa74471ee2977e154a4a5ef2d39.png) ](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox) + > [ ![Image of Microsoft Endpoint Manager portal33](images/43ab6aa74471ee2977e154a4a5ef2d39.png) ](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox) 2. Select the **Configuration Policy** to view the policy status. > [!div class="mx-imgBorder"] - > [ ![Image of Microsoft Endpoint Manager portal](images/55ecaca0e4a022f0e29d45aeed724e6c.png) ](images/55ecaca0e4a022f0e29d45aeed724e6c.png#lightbox) + > [ ![Image of Microsoft Endpoint Manager portal34](images/55ecaca0e4a022f0e29d45aeed724e6c.png) ](images/55ecaca0e4a022f0e29d45aeed724e6c.png#lightbox) 3. Select **Device Status** to see the status. > [!div class="mx-imgBorder"] - > [ ![Image of Microsoft Endpoint Manager portal](images/18a50df62cc38749000dbfb48e9a4c9b.png) ](images/18a50df62cc38749000dbfb48e9a4c9b.png#lightbox) + > [ ![Image of Microsoft Endpoint Manager portal35](images/18a50df62cc38749000dbfb48e9a4c9b.png) ](images/18a50df62cc38749000dbfb48e9a4c9b.png#lightbox) 4. Select **User Status** to see the status. > [!div class="mx-imgBorder"] - > [ ![Image of Microsoft Endpoint Manager portal](images/4e965749ff71178af8873bc91f9fe525.png) ](images/4e965749ff71178af8873bc91f9fe525.png#lightbox) + > [ ![Image of Microsoft Endpoint Manager portal36](images/4e965749ff71178af8873bc91f9fe525.png) ](images/4e965749ff71178af8873bc91f9fe525.png#lightbox) 5. Select **Per-setting status** to see the status. @@ -345,22 +361,22 @@ To confirm that the configuration policy has been applied to your test device, f >This view is very useful to identify any settings that conflict with another policy. > [!div class="mx-imgBorder"] - > [ ![Image of Microsoft Endpoint Manager portal](images/42acc69d0128ed09804010bdbdf0a43c.png) ](images/42acc69d0128ed09804010bdbdf0a43c.png#lightbox) + > [ ![Image of Microsoft Endpoint Manager portal37](images/42acc69d0128ed09804010bdbdf0a43c.png) ](images/42acc69d0128ed09804010bdbdf0a43c.png#lightbox) ### Endpoint detection and response -1. Before applying the configuration, the Microsoft Defender ATP +1. Before applying the configuration, the Defender for Endpoint Protection service should not be started. > [!div class="mx-imgBorder"] - > [ ![Image of Services panel](images/b418a232a12b3d0a65fc98248dbb0e31.png) ](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox) + > [ ![Image of Services panel1](images/b418a232a12b3d0a65fc98248dbb0e31.png) ](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox) -2. After the configuration has been applied, the Microsoft Defender ATP +2. After the configuration has been applied, the Defender for Endpoint Protection Service should be started. > [!div class="mx-imgBorder"] - > [ ![Image of Services panel](images/a621b699899f1b41db211170074ea59e.png) ](images/a621b699899f1b41db211170074ea59e.png#lightbox) + > [ ![Image of Services panel2](images/a621b699899f1b41db211170074ea59e.png) ](images/a621b699899f1b41db211170074ea59e.png#lightbox) 3. After the services are running on the device, the device appears in Microsoft Defender Security Center. @@ -374,7 +390,7 @@ To confirm that the configuration policy has been applied to your test device, f manage the settings as shown below. > [!div class="mx-imgBorder"] - > ![Image of setting page](images/88efb4c3710493a53f2840c3eac3e3d3.png) + > ![Image of setting page1](images/88efb4c3710493a53f2840c3eac3e3d3.png) 2. After the policy has been applied, you should not be able to manually manage the settings. @@ -384,7 +400,7 @@ To confirm that the configuration policy has been applied to your test device, f > **Turn on real-time protection** are being shown as managed. > [!div class="mx-imgBorder"] - > ![Image of setting page](images/9341428b2d3164ca63d7d4eaa5cff642.png) + > ![Image of setting page2](images/9341428b2d3164ca63d7d4eaa5cff642.png) ### Attack Surface Reduction – Attack surface reduction rules @@ -399,13 +415,13 @@ To confirm that the configuration policy has been applied to your test device, f > > AttackSurfaceReductionRules_Ids: - ![Image of command line](images/cb0260d4b2636814e37eee427211fe71.png) + ![Image of command line1](images/cb0260d4b2636814e37eee427211fe71.png) 3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. 4. This should respond with the following lines with content as shown below: - ![Image of command line](images/619fb877791b1fc8bc7dfae1a579043d.png) + ![Image of command line2](images/619fb877791b1fc8bc7dfae1a579043d.png) ### Attack Surface Reduction – Web Protection @@ -414,11 +430,11 @@ To confirm that the configuration policy has been applied to your test device, f 2. This should respond with a 0 as shown below. - ![Image of command line](images/196a8e194ac99d84221f405d0f684f8c.png) + ![Image of command line3](images/196a8e194ac99d84221f405d0f684f8c.png) 3. After applying the policy, open a PowerShell Windows and type `(Get-MpPreference).EnableNetworkProtection`. 4. This should respond with a 1 as shown below. - ![Image of command line](images/c06fa3bbc2f70d59dfe1e106cd9a4683.png) + ![Image of command line4](images/c06fa3bbc2f70d59dfe1e106cd9a4683.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md index 30c80bb608..1cdfe2f6b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md @@ -1,10 +1,10 @@ --- -title: Create an onboarding or offboarding notification rule +title: Create an onboarding or offboarding notification rule description: Get a notification when a local onboarding or offboarding script is used. keywords: onboarding, offboarding, local, script, notification, rule search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create a notification rule when a local onboarding or offboarding script is used @@ -23,9 +24,18 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified. + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +Create a notification rule so that when a local onboarding or offboarding script is used, you'll be notified. ## Before you begin You'll need to have access to: @@ -48,7 +58,7 @@ You'll need to have access to: ![Image of the notification flow](images/build-flow.png) -4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines"). +4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines"). ![Image of recurrence and add action](images/recurrence-add.png) @@ -56,13 +66,13 @@ You'll need to have access to: 5. Enter the following HTTP fields: - Method: "GET" as a value to get the list of devices. - - URI: Enter `https://api.securitycenter.windows.com/api/machines`. + - URI: Enter `https://api.securitycenter.microsoft.com/api/machines`. - Authentication: Select "Active Directory OAuth". - Tenant: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\` - Client ID: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value. - Credential Type: Select "Secret". - - Secret: Sign-in to https://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. + - Secret: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. ![Image of the HTTP conditions](images/http-conditions.png) @@ -164,7 +174,7 @@ You'll need to have access to: 10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example: - If yes, no notification will be triggered -- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin +- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin ![Image of apply to each](images/flow-apply.png) @@ -173,8 +183,8 @@ You'll need to have access to: 11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0. ![Image of apply to each condition](images/apply-to-each-value.png) - ![Image of condition](images/conditions-2.png) - ![Image of condition](images/condition3.png) + ![Image of condition1](images/conditions-2.png) + ![Image of condition2](images/condition3.png) ![Image of send email](images/send-email.png) ## Alert notification diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index f26781b856..641f78a4e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -3,7 +3,7 @@ title: Onboard to the Microsoft Defender ATP service description: Learn how to onboard endpoints to Microsoft Defender ATP service keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,54 +13,50 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario ms.topic: article +ms.technology: mde --- -# Onboard to the Microsoft Defender ATP service +# Onboard to the Microsoft Defender for Endpoint service [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Deploying Microsoft Defender ATP is a three-phase process: +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -
        - - - - - +Learn about the various phases of deploying Microsoft Defender for Endpoint and how to configure the capabilities within the solution. +Deploying Defender for Endpoint is a three-phase process: - -
        - - Prepare to deploy Microsoft Defender ATP -
        Phase 1: Prepare
        -         		- - Setup the Microsoft Defender ATP service -
        Phase 2: Set up
        -         		- - Onboard diagram -
        Phase 3: Onboard
        -
        +| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)
        [Phase 1: Prepare](prepare-deployment.md) | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)
        [Phase 2: Setup](production-deployment.md) | ![deployment phase - onboard](images/phase-diagrams/onboard.png)
        Phase 3: Onboard | +| ----- | ----- | ----- | +| | |*You are here!*| You are currently in the onboarding phase. -These are the steps you need to take to deploy Microsoft Defender ATP: +These are the steps you need to take to deploy Defender for Endpoint: - Step 1: Onboard endpoints to the service - Step 2: Configure capabilities ## Step 1: Onboard endpoints using any of the supported management tools -The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Microsoft Defender ATP. +The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint. + + +Watch this video for a quick overview of the onboarding process and learn about the available tools and methods. +
        +
        + +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] + + After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service. @@ -88,7 +84,7 @@ The tools in the example deployments are: - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) -Using the mentioned deployment tools above, you'll then be guided in configuring the following Microsoft Defender ATP capabilities: +Using the mentioned deployment tools above, you'll then be guided in configuring the following Defender for Endpoint capabilities: - Endpoint detection and response configuration - Next-generation protection configuration - Attack surface reduction configuration diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 6af7ba9c0f..e2686d0b0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -5,7 +5,7 @@ description: Learn about the attack surface reduction capabilities of Microsoft keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,22 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.custom: asr ms.topic: conceptual +ms.technology: mde --- # Overview of attack surface reduction [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 3e8077b6b8..bc94c1f8f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -5,7 +5,7 @@ description: Understand how you can use advanced hunting to create custom detect keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Custom detections overview @@ -23,7 +24,11 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 0f3c036938..73e56c353d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -5,7 +5,7 @@ description: Learn about the endpoint detection and response capabilities in Mic keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Overview of endpoint detection and response @@ -24,16 +25,18 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. +Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5] -Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. +Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index 8b32269fe0..e9fbf258b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -3,7 +3,7 @@ title: Hardware-based isolation (Windows 10) ms.reviewer: description: Learn about how hardware-based isolation in Windows 10 helps to combat malware. search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,20 +11,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.author: macapara ms.date: 09/07/2018 +ms.technology: mde --- # Hardware-based isolation in Windows 10 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP. + +Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender for Endpoint. | Feature | Description | |------------|-------------| diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md index 822b5afaab..998b06013b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md @@ -1,11 +1,11 @@ --- -title: Partner applications in Microsoft Defender ATP +title: Partner applications in Microsoft Defender ATP ms.reviewer: description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,25 +14,29 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Partner applications in Microsoft Defender ATP +# Partner applications in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. -The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats. +The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender for Endpoint; enabling security teams to effectively respond better to modern threats. + +Microsoft Defender for Endpoint seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as: -Microsoft Defender ATP seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as: - SIEM - Ticketing and IT service management solutions - Managed security service providers (MSSP) @@ -47,16 +51,16 @@ Microsoft Defender ATP seamlessly integrates with existing security solutions. T Logo |Partner name | Description :---|:---|:--- -![Image of AttackIQ logo](images/attackiq-logo.png)| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Microsoft Defender ATP is configured properly by launching continuous attacks safely on production assets -![Image of Azure Sentinel logo](images/sentinel-logo.png)| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel -![Image of Cymulate logo](images/cymulate-logo.png) | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Microsoft Defender ATP findings with simulated attacks to validate accurate detection and effective response actions +![Image of AttackIQ logo](images/attackiq-logo.png)| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets +![Image of Azure Sentinel logo](images/sentinel-logo.png)| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender for Endpoint into Azure Sentinel +![Image of Cymulate logo](images/cymulate-logo.png) | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions ![Image of Elastic security logo](images/elastic-security-logo.png) | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats -![Image of IBM QRadar logo](images/ibm-qradar-logo.png) | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Microsoft Defender ATP -![Image of Micro Focus ArcSight logo](images/arcsight-logo.png) | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections -![Image of RSA NetWitness logo](images/rsa-netwitness-logo.png) | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API -![Image of SafeBreach logo](images/safebreach-logo.png) | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations +![Image of IBM QRadar logo](images/ibm-qradar-logo.png) | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Defender for Endpoint +![Image of Micro Focus ArcSight logo](images/arcsight-logo.png) | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Defender for Endpoint detections +![Image of RSA NetWitness logo](images/rsa-netwitness-logo.png) | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API +![Image of SafeBreach logo](images/safebreach-logo.png) | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations ![Image of Skybox Vulnerability Control logo](images/skybox-logo.png) | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities -![Image of Splunk logo](images/splunk-logo.png) | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk +![Image of Splunk logo](images/splunk-logo.png) | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk ![Image of XM Cyber logo](images/xmcyber-logo.png) | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets ### Orchestration and automation @@ -64,31 +68,31 @@ Logo |Partner name | Description Logo |Partner name | Description :---|:---|:--- -![Image of CyberSponse CyOps logo](images/cybersponse-logo.png) | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks -![Image of Delta Risk ActiveEye logo](images/delta-risk-activeeye-logo.png) | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye. -![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png) | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response -![Image of Microsoft Flow & Azure Functions logo](images/ms-flow-logo.png) | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures -![Image of Rapid7 InsightConnect logo](images/rapid7-logo.png) | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes +![Image of CyberSponse CyOps logo](images/cybersponse-logo.png) | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks +![Image of Delta Risk ActiveEye logo](images/delta-risk-activeeye-logo.png) | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. +![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png) | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response +![Image of Microsoft Flow & Azure Functions logo](images/ms-flow-logo.png) | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures +![Image of Rapid7 InsightConnect logo](images/rapid7-logo.png) | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes ![Image of ServiceNow logo](images/servicenow-logo.png) | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration -![Image of Swimlane logo](images/swimlane-logo.png) | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Microsoft Defender ATP together +![Image of Swimlane logo](images/swimlane-logo.png) | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together ### Threat intelligence Logo |Partner name | Description :---|:---|:--- -![Image of MISP Malware Information Sharing Platform)logo](images/misp-logo.png) | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Microsoft Defender ATP environment -![Image of Palo Alto Networks logo](images/paloalto-logo.png) | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Microsoft Defender ATP using MineMeld -![Image of ThreatConnect logo](images/threatconnect-logo.png) | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Microsoft Defender ATP indicators +![Image of MISP Malware Information Sharing Platform)logo](images/misp-logo.png) | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment +![Image of Palo Alto Networks logo](images/paloalto-logo.png) | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld +![Image of ThreatConnect logo](images/threatconnect-logo.png) | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators ### Network security Logo |Partner name | Description :---|:---|:--- -![Image of Aruba ClearPass Policy Manager logo](images/aruba-logo.png) | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Microsoft Defender ATP is installed and updated on each endpoint before allowing access to the network +![Image of Aruba ClearPass Policy Manager logo](images/aruba-logo.png) | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network ![Image of Blue Hexagon for Network logo](images/bluehexagon-logo.png) | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection -![Image of CyberMDX logo](images/cybermdx-logo.png) | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender ATP environment +![Image of CyberMDX logo](images/cybermdx-logo.png) | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment ![Image of Vectra Network Detection and Response (NDR) logo](images/vectra-logo.png) |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time @@ -96,45 +100,51 @@ Logo |Partner name | Description Logo |Partner name | Description :---|:---|:--- ![Image of Bitdefender logo](images/bitdefender-logo.png)| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)| Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats -![Image of Better Mobile logo](images/bettermobile-logo.png) | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy +![Image of Better Mobile logo](images/bettermobile-logo.png) | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy ![Image of Corrata logo](images/corrata-logo.png)| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata ![Image of Lookout logo](images/lookout-logo.png)| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices ![Image of Symantec Endpoint Protection Mobile logo](images/symantec-logo.png) | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices -![Image of Zimperium logo](images/zimperium-logo.png)| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense +![Image of Zimperium logo](images/zimperium-logo.png)| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense -## Additional integrations + +## Other integrations + Logo |Partner name | Description :---|:---|:--- -![Image of Cyren Web Filter logo](images/cyren-logo.png)| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Microsoft Defender ATP with advanced Web Filtering -![Image of Morphisec logo](images/morphisec-logo.png)| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information +![Image of Cyren Web Filter logo](images/cyren-logo.png)| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Defender for Endpoint with advanced Web Filtering +![Image of Morphisec logo](images/morphisec-logo.png)| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information ![Image of THOR Cloud logo](images/nextron-thor-logo.png)| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats ## SIEM integration -Microsoft Defender ATP supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md). +Defender for Endpoint supports SIEM integration through various of methods. This can include specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md). + ## Ticketing and IT service management -Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. +Ticketing solution integration helps to implement manual and automatic response processes. Defender for Endpoint can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. ## Security orchestration and automation response (SOAR) integration -Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. ## External alert correlation and Automated investigation and remediation -Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. +Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale. Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. -External alerts can be pushed into Microsoft Defender ATP and is presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack. + +External alerts can be pushed to Defender for Endpoint. These alerts are shown side by side with additional device-based alerts from Defender for Endpoint. This view provides a full context of the alert and can reveal the full story of an attack. ## Indicators matching You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs). -Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match. -Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators. +Defender for Endpoint allows you to integrate with these solutions and act on IoCs by correlating rich telemetry to create alerts. You can also use prevention and automated response capabilities to block execution and take remediation actions when there's a match. + + +Defender for Endpoint currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators. ## Support for non-Windows platforms -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. +Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md index 7aa19efe08..3d1b8e911d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md @@ -5,7 +5,7 @@ description: Learn how you can extend existing security offerings on top of the keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,46 +14,48 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender ATP partner opportunities and scenarios +# Microsoft Defender for Endpoint partner opportunities and scenarios [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP. + +Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Defender for Endpoint. + +The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Defender for Endpoint. ## Scenario 1: External alert correlation and Automated investigation and remediation -Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. +Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale. Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. -Microsoft Defender ATP adds support for this scenario in the following forms: +Defender for Endpoint adds support for this scenario in the following forms: -- External alerts can be pushed into Microsoft Defender ATP and presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack. +- External alerts can be pushed into Defender for Endpoint and presented side by side with additional device-based alerts from Defender for Endpoint. This view provides the full context of the alert - with the real process and the full story of attack. -- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert. +- Once an alert is generated, the signal is shared across all Defender for Endpoint protected endpoints in the enterprise. Defender for Endpoint takes immediate automated or operator-assisted response to address the alert. ## Scenario 2: Security orchestration and automation response (SOAR) integration -Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. ## Scenario 3: Indicators matching -Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. +Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Defender for Endpoint and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios. -Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP. +Follow the steps in [Become a Microsoft Defender for Endpoint partner](get-started-partner-integration.md) to integrate your solution in Defender for Endpoint. ## Related topic - [Overview of management and APIs](management-apis.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 699cc87da7..b7f89066a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -4,7 +4,7 @@ description: Microsoft Defender Security Center can monitor your enterprise netw keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, devices list, settings, device management, advanced attacks search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender Security Center portal overview @@ -23,9 +24,11 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches. @@ -33,7 +36,7 @@ You can use [Microsoft Defender Security Center](https://securitycenter.windows. - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses -- Change Microsoft Defender ATP settings, including time zone and review licensing information +- Change Microsoft Defender for Endpoint settings, including time zone and review licensing information ## Microsoft Defender Security Center @@ -42,7 +45,7 @@ When you open the portal, you'll see: - (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it) - (2) Search, Community center, Localization, Help and support, Feedback - ![Microsoft Defender Advanced Threat Protection portal](images/mdatp-portal-overview.png) + ![Microsoft Defender for Endpoint portal](images/mdatp-portal-overview.png) > [!NOTE] > Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. @@ -54,33 +57,33 @@ Area | Description **(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it. **Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards. **Incidents** | View alerts that have been aggregated as incidents. -**Devices list** | Displays the list of devices that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels. +**Devices list** | Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels. **Alerts queue** | View alerts generated from devices in your organizations. **Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation. **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. **Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability. **Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings. **Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations. -**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment. -**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. +**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment. +**Service health** | Provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues. **Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices. **Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments. -**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation.

        **Community center** - Access the Community center to learn, collaborate, and share experiences about the product.

        **Localization** - Set time zones.

        **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.

        **Feedback** - Provide comments about what you like or what we can do better. +**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation.

        **Community center** - Access the Community center to learn, collaborate, and share experiences about the product.

        **Localization** - Set time zones.

        **Help and support** - Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert.

        **Feedback** - Provide comments about what you like or what we can do better. > [!NOTE] > For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions. -## Microsoft Defender ATP icons +## Microsoft Defender for Endpoint icons The following table provides information on the icons used all throughout the portal: Icon | Description :---|:--- -![ATP logo icon](images/atp-logo-icon.png)| Microsoft Defender ATP logo +![ATP logo icon](images/atp-logo-icon.png)| Microsoft Defender for Endpoint logo ![Alert icon](images/alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks. ![Detection icon](images/detection-icon.png)| Detection – Indication of a malware threat detection. ![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection. -![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the device. +![Remediated icon1](images/remediated-icon.png)| Remediated – Threat removed from the device. ![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the device. ![Thunderbolt icon](images/atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**. ![Device icon](images/atp-machine-icon.png)| Device icon @@ -115,7 +118,7 @@ Icon | Description ![Terminated by system](images/terminated-by-system.png) | Automated investigation - terminated by system ![Pending icon](images/pending.png) | Automated investigation - pending ![Running icon](images/running.png) | Automated investigation - running -![Remediated icon](images/remediated.png) | Automated investigation - remediated +![Remediated icon2](images/remediated.png) | Automated investigation - remediated ![Partially investigated icon](images/partially_remediated.png) | Automated investigation - partially remediated ![Threat insights icon](images/tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights ![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index f74d49ee22..53360643c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -3,7 +3,7 @@ title: Submit or Update Indicator API description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, submit, ti, indicator, update search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,23 +12,29 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Submit or Update Indicator API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Submits or Updates new [Indicator](ti-indicator.md) entity. -
        CIDR notation for IPs is supported. +
        CIDR notation for IPs is not supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -47,12 +53,9 @@ Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/indicators +POST https://api.securitycenter.microsoft.com/api/indicators ``` -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - ## Request headers Name | Type | Description @@ -87,9 +90,11 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator Here is an example of the request. +```http +POST https://api.securitycenter.microsoft.com/api/indicators ``` -POST https://api.securitycenter.windows.com/api/indicators -Content-type: application/json + +```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md index 59653a5fc2..abe5f6b57a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md @@ -4,7 +4,7 @@ description: Use the settings page to configure general settings, permissions, a keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Microsoft Defender Security Center settings @@ -23,9 +24,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index fe2d128e37..8dab515d0f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -4,7 +4,7 @@ description: Prepare stakeholder approval, timelines, environment considerations keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,61 +14,34 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario -ms.topic: article + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario +ms.topic: article +ms.technology: mde --- -# Prepare Microsoft Defender ATP deployment +# Prepare Microsoft Defender for Endpoint deployment [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +Deploying Defender for Endpoint is a three-phase process: +| ![deployment phase - prepare](images/phase-diagrams/prepare.png)
        Phase 1: Prepare | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)
        [Phase 2: Setup](production-deployment.md) | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)
        [Phase 3: Onboard](onboarding.md) | +| ----- | ----- | ----- | +|*You are here!* | || -Deploying Microsoft Defender ATP is a three-phase process: - -
        - - - - - - - - - - - -
        - - Plan to deploy Microsoft Defender ATP -
        Phase 1: Prepare
        -         		- - Onboard to the Microsoft Defender ATP service -
        Phase 2: Set up
        -         		- - Configure capabilities -
        Phase 3: Onboard
        -
        - - - - - -
        You are currently in the preparation phase. -Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP. +Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Defender for Endpoint. ## Stakeholders and approval @@ -111,8 +84,7 @@ required in technologies or processes. ## Role-based access control -Microsoft recommends using the concept of least privileges. Microsoft Defender -ATP leverages built-in roles within Azure Active Directory. Microsoft recommends +Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Azure Active Directory. Microsoft recommends [review the different roles that are available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal) and choose the right one to solve your needs for each persona for this @@ -132,7 +104,7 @@ Management](https://docs.microsoft.com/azure/active-directory/active-directory-p to manage your roles to provide additional auditing, control, and access review for users with directory permissions. -Microsoft Defender ATP supports two ways to manage permissions: +Defender for Endpoint supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. In the case of basic permissions management users with Global @@ -144,7 +116,7 @@ Microsoft Defender ATP supports two ways to manage permissions: groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md). Microsoft recommends leveraging RBAC to ensure that only users that have a -business justification can access Microsoft Defender ATP. +business justification can access Defender for Endpoint. You can find details on permission guidelines [here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group). @@ -167,24 +139,24 @@ place. The bare minimum every organization should have been an antivirus solutio Historically, replacing any security solution used to be time intensive and difficult to achieve due to the tight hooks into the application layer and infrastructure -dependencies. However, because Microsoft Defender ATP is built into the +dependencies. However, because Defender for Endpoint is built into the operating system, replacing third-party solutions is now easy to achieve. -Choose the component of Microsoft Defender ATP to be used and remove the ones +Choose the component of Defender for Endpoint to be used and remove the ones that do not apply. The table below indicates the order Microsoft recommends for how the endpoint security suite should be enabled. | Component | Description | Adoption Order Rank | |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| -| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | -|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
        - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
        - Invaluable device vulnerability context during incident investigations
        - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
        [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | +| Endpoint Detection & Response (EDR) | Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | +|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:
        - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
        - Invaluable device vulnerability context during incident investigations
        - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
        [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | | Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
        -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
        - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
        - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
        [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 | -| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP help protect the devices and applications in the organization from new and emerging threats.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | -| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | +| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | +| Auto Investigation & Remediation (AIR) | Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | | Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | ## Next step ||| |:-------|:-----| -|![Phase 2: Setup](images/setup.png)
        [Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender ATP deployment +|![Phase 2: Setup](images/setup.png)
        [Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender for Endpoint deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md index 0609532537..626aafb55f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md @@ -4,7 +4,7 @@ description: Turn on the preview experience in Microsoft Defender Advanced Threa keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Turn on the preview experience in Microsoft Defender ATP +# Turn on the preview experience in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) Turn on the preview experience setting to be among the first to try upcoming features. @@ -36,8 +38,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Related topics -- [Update general settings in Microsoft Defender ATP](data-retention-settings.md) -- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md) -- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Update general settings in Microsoft Defender for Endpoint](data-retention-settings.md) +- [Turn on advanced features in Microsoft Defender for Endpoint](advanced-features.md) +- [Configure email notifications in Microsoft Defender for Endpoint](configure-email-notifications.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 5ed93079a0..169dd4dda9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -4,7 +4,7 @@ description: Learn how to access Microsoft Defender Advanced Threat Protection p keywords: preview, preview experience, Microsoft Defender Advanced Threat Protection, features, updates search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,12 +14,13 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender ATP preview features +# Microsoft Defender for Endpoint preview features [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -27,19 +28,23 @@ ms.topic: conceptual >The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities. +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities. > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) -Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. >[!TIP] >Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us` -For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md). +For more information on new capabilities that are generally available, see [What's new in Defender for Endpoint](whats-new-in-microsoft-defender-atp.md). ## Turn on preview features @@ -54,22 +59,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md)
        Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS. -- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
        Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android. - -- [Web Content Filtering](web-content-filtering.md)
        Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. +- [Web Content Filtering](web-content-filtering.md)
        Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. - [Device health and compliance report](machine-reports.md)
        The device health and compliance report provides high-level information about the devices in your organization. - [Information protection](information-protection-in-windows-overview.md)
        -Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. +Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. >[!NOTE] >Partially available from Windows 10, version 1809. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
        Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
        Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index a1c3772e14..b0fe2b8a22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -4,7 +4,7 @@ description: Learn how to setup the deployment for Microsoft Defender ATP keywords: deploy, setup, licensing validation, tenant configuration, network configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,45 +14,29 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario -ms.topic: article + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario +ms.topic: article +ms.technology: mde --- -# Set up Microsoft Defender ATP deployment +# Set up Microsoft Defender for Endpoint deployment [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Deploying Microsoft Defender ATP is a three-phase process: +Deploying Defender for Endpoint is a three-phase process: -
        - - - - - - - - -
        - - Prepare to deploy Microsoft Defender ATP -
        Phase 1: Prepare
        -         		- - Onboard to the Microsoft Defender ATP service -
        Phase 2: Set up
        -         		- - Onboard image -
        Phase 3: Onboard
        -
        +| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)
        [Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png)
        Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)
        [Phase 3: Onboard](onboarding.md) | +| ----- | ----- | ----- | +| | *You are here!*|| You are currently in the set-up phase. @@ -63,7 +47,7 @@ In this deployment scenario, you'll be guided through the steps on: >[!NOTE] ->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). +>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md). ## Check license state @@ -94,11 +78,11 @@ To gain access into which licenses are provisioned to your company, and to check ## Tenant Configuration -When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device. +When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Defender for Endpoint created. The easiest method is to perform these steps from a Windows 10 client device. 1. From a web browser, navigate to . - ![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png) + ![Image of Set up your permissions for Microsoft Defender for Endpoint](images/atp-setup-permissions-wdatp-portal.png) 2. If going through a TRIAL license, go to the link () @@ -128,11 +112,11 @@ When accessing Microsoft Defender Security Center for the first time, a wizard t If the organization does not require the endpoints to use a Proxy to access the Internet, skip this section. -The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to -report sensor data and communicate with the Microsoft Defender ATP service. The -embedded Microsoft Defender ATP sensor runs in the system context using the +The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to +report sensor data and communicate with the Microsoft Defender for Endpoint service. The +embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) -to enable communication with the Microsoft Defender ATP cloud service. The +to enable communication with the Microsoft Defender for Endpoint cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: @@ -145,7 +129,7 @@ the following discovery methods: If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on -Microsoft Defender ATP URL exclusions in the proxy, see the +Microsoft Defender for Endpoint URL exclusions in the proxy, see the Appendix section in this document for the URLs allow list or on [Microsoft Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). @@ -163,8 +147,8 @@ Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defe ### Configure the proxy server manually using a registry-based static proxy -Configure a registry-based static proxy to allow only Microsoft Defender ATP -sensor to report diagnostic data and communicate with Microsoft Defender ATP +Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint +sensor to report diagnostic data and communicate with Microsoft Defender for Endpoint services if a computer is not permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: @@ -236,20 +220,20 @@ URLs that include v20 in them are only needed if you have Windows 10, version needed if the device is on Windows 10, version 1803 or later. -If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs. The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. |**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)
        | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

        [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) +|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
        | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

        [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) -### Microsoft Defender ATP service backend IP range +### Microsoft Defender for Endpoint service backend IP range If you network devices don't support the URLs listed in the prior section, you can use the following information. -Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: +Defender for Endpoint is built on Azure cloud, deployed in the following regions: - \+\ - \+\ @@ -265,6 +249,5 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https: > As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. ## Next step -||| -|:-------|:-----| -|![Phase 3: Onboard](images/onboard.png)
        [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them. + +![**Phase 3: Onboard**](images/onboard.png)
        [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 5ded65750b..bed5597bce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,10 +1,10 @@ --- -title: Pull Microsoft Defender ATP detections using REST API -description: Learn how call an Microsoft Defender ATP endpoint to pull detections in JSON format using the SIEM REST API. +title: Pull Microsoft Defender for Endpoint detections using REST API +description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API. keywords: detections, pull detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,28 +13,31 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Pull Microsoft Defender ATP detections using SIEM REST API +# Pull Microsoft Defender for Endpoint detections using SIEM REST API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections. +>- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. +Microsoft Defender for Endpoint supports the OAuth 2.0 protocol to pull detections from the API. In general, the OAuth 2.0 protocol supports four types of flows: - Authorization grant flow @@ -44,19 +47,19 @@ In general, the OAuth 2.0 protocol supports four types of flows: For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net). -Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server. +Microsoft Defender for Endpoint supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server. The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token. -The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. +The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender for Endpoint endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. -Use the following method in the Microsoft Defender ATP API to pull detections in JSON format. +Use the following method in the Microsoft Defender for Endpoint API to pull detections in JSON format. >[!NOTE] >Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin -- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +- Before calling the Microsoft Defender for Endpoint endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: - Application ID (unique to your application) @@ -67,7 +70,7 @@ Use the following method in the Microsoft Defender ATP API to pull detections in ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP. +You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -84,18 +87,18 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599", - "ext_expires_in": "0", - "expires_on": "1488720683", - "not_before": "1488720683", + "expires_in": 3599, + "ext_expires_in": 0, + "expires_on": 1488720683, + "not_before": 1488720683, "resource": "https://graph.windows.net", "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } ``` -You can now use the value in the *access_token* field in a request to the Microsoft Defender ATP API. +You can now use the value in the *access_token* field in a request to the Defender for Endpoint API. ## Request -With an access token, your app can make authenticated requests to the Microsoft Defender ATP API. Your app must append the access token to the Authorization header of each request. +With an access token, your app can make authenticated requests to the Microsoft Defender for Endpoint API. Your app must append the access token to the Authorization header of each request. ### Request syntax Method | Request URI @@ -115,7 +118,7 @@ Name | Value| Description :---|:---|:--- sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
        `LastProcessedTimeUtc`
        The time range will be: from sinceTimeUtc time to current time.

        **NOTE**: When not specified, all alerts generated in the last two hours are retrieved. untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
        The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

        **NOTE**: When not specified, the default value will be the current time. -ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

        Value should be set according to **ISO 8601** duration format
        E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. +ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

        Value should be set according to **ISO 8601** duration format
        Example: `ago=PT10M` will pull alerts received in the last 10 minutes. limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

        **NOTE**: When not specified, all alerts available in the time range will be retrieved. machinegroups | string | Specifies device groups to pull alerts from.

        **NOTE**: When not specified, alerts from all device groups will be retrieved.

        Example:

        ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single device tag from the registry. @@ -200,10 +203,10 @@ Here is an example return value: ## Code examples ### Get access token -The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API. +The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender for Endpoint SIEM API. ```csharp -AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId)); +AuthenticationContext context = new AuthenticationContext(string.Format("https://login.microsoftonline.com/{0}", tenantId)); ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret); AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource, clientCredentials).GetAwaiter().GetResult(); ``` @@ -218,7 +221,7 @@ $appId = '' ### Paste your Application ID here $appSecret = '' ### Paste your Application secret here $resourceAppIdUri = 'https://graph.windows.net' -$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token" +$oAuthUri = "https://login.microsoftonline.com/$tenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -237,7 +240,7 @@ tenantId='' ### Paste your tenant ID here appId='' ### Paste your Application ID here appSecret='' ### Paste your Application secret here resourceAppIdUri='https://graph.windows.net' -oAuthUri="https://login.windows.net/$tenantId/oauth2/token" +oAuthUri="https://login.microsoftonline.com/$tenantId/oauth2/token" scriptDir=$(pwd) apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\ @@ -250,7 +253,7 @@ echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM ``` ### Use token to connect to the detections endpoint -The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts. +The following code examples demonstrate how to use an access token for calling the Defender for Endpoint SIEM API to get alerts. ```csharp HttpClient httpClient = new HttpClient(); @@ -318,7 +321,7 @@ echo $apiResponse ``` ## Error codes -The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request. +The Microsoft Defender for Endpoint REST API returns the following error codes caused by an invalid request. HTTP error code | Description :---|:--- @@ -327,8 +330,8 @@ HTTP error code | Description 500 | Error in the service. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender for Endpoint detections](configure-splunk.md) +- [Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index 3dd71c46a6..3b4e3677f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -1,10 +1,10 @@ --- -title: Stream Microsoft Defender Advanced Threat Protection events to Azure Event Hubs +title: Stream Microsoft Defender Advanced Threat Protection events to Azure Event Hubs description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub. keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,37 +13,45 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs +# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Before you begin: 1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant. -2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****. + +2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**. ## Enable raw data streaming: -1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user. -2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. -3. Click on **Add data export settings**. -4. Choose a name for your new settings. -5. Choose **Forward events to Azure Event Hubs**. -6. Type your **Event Hubs name** and your **Event Hubs resource ID**. - In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**: +1. Log in to the [Microsoft Defender Security Center](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***. - ![Image of event hub resource Id](images/event-hub-resource-id.png) +2. Go to the [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. + +3. Click on **Add data export settings**. + +4. Choose a name for your new settings. + +5. Choose **Forward events to Azure Event Hubs**. + +6. Type your **Event Hubs name** and your **Event Hubs resource ID**. + + In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**: + + ![Image of event hub resource Id1](images/event-hub-resource-id.png) 7. Choose the events you want to stream and click **Save**. @@ -64,8 +72,11 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w ``` - Each event hub message in Azure Event Hubs contains list of records. -- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". -- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). + +- Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". + +- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md). + - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: @@ -73,21 +84,22 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w To get the data types for event properties do the following: 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package). + 2. Run the following query to get the data types mapping for each event: -``` -{EventType} -| getschema -| project ColumnName, ColumnType - -``` + ``` + {EventType} + | getschema + | project ColumnName, ColumnType + ``` - Here is an example for Device Info event: -![Image of event hub resource Id](images/machine-info-datatype-example.png) + ![Image of event hub resource Id2](images/machine-info-datatype-example.png) ## Related topics - [Overview of Advanced Hunting](advanced-hunting-overview.md) -- [Microsoft Defender ATP streaming API](raw-data-export.md) -- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md) +- [Microsoft Defender for Endpoint streaming API](raw-data-export.md) +- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) +- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/troubleshooting-guide) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index ae061aa91b..0b8aaf517a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -4,7 +4,7 @@ description: Learn how to configure Microsoft Defender ATP to stream Advanced Hu keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,37 +13,42 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account +# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Before you begin: 1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant. + 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**. -3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**. ## Enable raw data streaming: -1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user. -2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. -3. Click on **Add data export settings**. -4. Choose a name for your new settings. -5. Choose **Forward events to Azure Storage**. -6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**: +1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***. - ![Image of event hub resource Id](images/storage-account-resource-id.png) +2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. + +3. Click on **Add data export settings**. + +4. Choose a name for your new settings. + +5. Choose **Forward events to Azure Storage**. + +6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**: + + ![Image of event hub resource ID1](images/storage-account-resource-id.png) 7. Choose the events you want to stream and click **Save**. @@ -51,22 +56,25 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - A blob container will be created for each event type: -![Image of event hub resource Id](images/storage-account-event-schema.png) + ![Image of event hub resource ID2](images/storage-account-event-schema.png) - The schema of each row in a blob is the following JSON: -``` -{ - "time": "" - "tenantId": "" - "category": "" - "properties": { } -} -``` + ``` + { + "time": "" + "tenantId": "" + "category": "" + "properties": { } + } + ``` - Each blob contains multiple rows. -- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". -- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). + +- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". + +- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md). + - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: @@ -74,21 +82,21 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w In order to get the data types for our events properties do the following: 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package). + 2. Run the following query to get the data types mapping for each event: -``` -{EventType} -| getschema -| project ColumnName, ColumnType - -``` + ``` + {EventType} + | getschema + | project ColumnName, ColumnType + ``` - Here is an example for Device Info event: -![Image of event hub resource ID](images/machine-info-datatype-example.png) + ![Image of event hub resource ID3](images/machine-info-datatype-example.png) ## Related topics - [Overview of Advanced Hunting](advanced-hunting-overview.md) -- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md) -- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md) +- [Microsoft Defender for Endpoint Streaming API](raw-data-export.md) +- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index e5a93c9ecf..98400242b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -1,10 +1,10 @@ --- -title: Stream Microsoft Defender Advanced Threat Protection event +title: Stream Microsoft Defender Advanced Threat Protection event description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to Event Hubs or Azure storage account keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,24 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Raw Data Streaming API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Stream Advanced Hunting events to Event Hubs and/or Azure storage account. -Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/). +Defender for Endpoint supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/). > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga] @@ -39,8 +38,8 @@ Microsoft Defender ATP supports streaming all the events available through [Adva Topic | Description :---|:--- -[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs. -[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account. +[Stream Microsoft Defender for Endpoint events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs. +[Stream Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index d0659c30a2..b5bc0c196d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -4,7 +4,7 @@ description: Create roles and groups within your security operations to grant ac keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage portal access using role-based access control @@ -24,9 +25,11 @@ ms.topic: article **Applies to:** - Azure Active Directory - Office 365 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink) Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do. @@ -41,10 +44,10 @@ Tier 1 | **Local security operations team / IT team**
        This team usually tri Tier 2 | **Regional security operations team**
        This team can see all the devices for their region and perform remediation actions. Tier 3 | **Global security operations team**
        This team consists of security experts and are authorized to see and perform all actions from the portal. -Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls: +Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls: - **Control who can take specific action** - - Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity. + - Create custom roles and control what Defender for Endpoint capabilities they can access with granularity. - **Control who can see information on specific device group or groups** - [Create device groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. @@ -61,18 +64,18 @@ Before using RBAC, it's important that you understand the roles that can grant p When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. -Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments +Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments > [!WARNING] > Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important. > > **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** > ->Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Microsoft Defender ATP global administrator role. +>Users with admin permissions are automatically assigned the default built-in Defender for Endpoint global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Defender for Endpoint global administrator role. > > After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. ## Related topic -- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md) +- [Create and manage device groups in Microsoft Defender for Endpoint](machine-groups.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md index 4e9bf9b693..a79f5f4029 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md @@ -1,9 +1,9 @@ --- title: Recommendation methods and properties -description: Retrieves top recent alerts. +description: Retrieves the top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Recommendation resource type @@ -21,9 +22,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index b22362ce0a..d3a21ba3a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -1,10 +1,10 @@ --- -title: Take response actions on a file in Microsoft Defender ATP -description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. +title: Take response actions on a file in Microsoft Defender for Endpoint +description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details. keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Take response actions on a file @@ -23,12 +24,11 @@ ms.topic: article **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [!include[Prerelease information](../../includes/prerelease.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink) Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center. @@ -46,60 +46,59 @@ You can also submit files for deep analysis, to run the file in a secure cloud s Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files: -Permission | PE files | Non-PE files -:---|:---|:--- -View data | X | X -Alerts investigation | ☑ | X -Live response basic | X | X -Live response advanced | ☑ |☑ +| Permission | PE files | Non-PE files | +| :--------------------- | :------: | :----------: | +| View data | X | X | +| Alerts investigation | ☑ | X | +| Live response basic | X | X | +| Live response advanced | ☑ | ☑ | For more information on roles, see [Create and manage roles for role-based access control](user-roles.md). - ## Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed. ->[!IMPORTANT] ->You can only take this action if: +> [!IMPORTANT] +> You can only take this action if: > > - The device you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft > - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys. +The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data such as registry keys. This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days. ->[!NOTE] ->You’ll be able to restore the file from quarantine at any time. +> [!NOTE] +> You’ll be able to restore the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - - **Search box** - select **File** from the drop–down menu and enter the file name + - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline + - **Search box** - select **File** from the drop–down menu and enter the file name - - >[!NOTE] - >The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). + > [!NOTE] + > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). 2. Go to the top bar and select **Stop and Quarantine File**. - ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) + ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) -3. Specify a reason, then click **Confirm**. +3. Specify a reason, then select **Confirm**. - ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) + ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) - The Action center shows the submission information: - ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) + The Action center shows the submission information: + + ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - - **Submission time** - Shows when the action was submitted. - - **Success** - Shows the number of devices where the file has been stopped and quarantined. - - **Failed** - Shows the number of devices where the action failed and details about the failure. - - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. + - **Submission time** - Shows when the action was submitted. + - **Success** - Shows the number of devices where the file has been stopped and quarantined. + - **Failed** - Shows the number of devices where the action failed and details about the failure. + - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. @@ -110,7 +109,7 @@ When the file is being removed from a device, the following notification is show In the device timeline, a new event is added for each device where a file was stopped and quarantined. -For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended. +A warning is shown before the action is implemented for files widely used throughout an organization. It's to validate that the operation is intended. ## Restore file from quarantine @@ -118,35 +117,52 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the device: - a. Go to **Start** and type _cmd_. + 1. Go to **Start** and type _cmd_. - b. Right–click **Command prompt** and select **Run as administrator**. + 1. Right–click **Command prompt** and select **Run as administrator**. 2. Enter the following command, and press **Enter**: - ```Powershell + ```powershell “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All ``` > [!NOTE] > In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl. -> -> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days. +> +> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days. + +> [!IMPORTANT] +> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. + +## Download or collect file + +Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password. + +By default, you will not be able to download files that are in quarantine. + +![Image of download file action](images/atp-download-file-action.png) + +### Collect files + +If a file is not already stored by Microsoft Defender for Endpoint, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled. +> [!Important] +> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. ## Add indicator to block or allow a file -You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. +Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. ->[!IMPORTANT] +> [!IMPORTANT] > ->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). +> - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). > ->- The Antimalware client version must be 4.18.1901.x or later. ->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. ->- This response action is available for devices on Windows 10, version 1703 or later. ->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. +> - The Antimalware client version must be 4.18.1901.x or later. +> - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +> - This response action is available for devices on Windows 10, version 1703 or later. +> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. ->[!NOTE] +> [!NOTE] > The PE file needs to be in the device timeline for you to be able to take this action. > > There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. @@ -154,102 +170,91 @@ You can prevent further propagation of an attack in your organization by banning ### Enable the block file feature To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. - + ### Allow or block file When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. -Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. +Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. - See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. +See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. -To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator. +To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position as the **Add Indicator** action, before you added the indicator. You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash. -## Download or collect file - -Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. - -![Image of download file action](images/atp-download-file-action.png) - -When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file. - -![Image of download file fly-out](images/atp-download-file-reason.png) - -If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled. - ## Consult a threat expert -You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. +Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard. See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details. ## Check activity details in Action center -The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details: +The **Action center** provides information on actions that were taken on a device or file. You can view the following details: - Investigation package collection - Antivirus scan - App restriction - Device isolation -All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. +All other related details are also shown, such as submission date/time, submitting user, and if the action succeeded or failed. ![Image of action center with information](images/action-center-details.png) - ## Deep analysis -Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis. +Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Selecting a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis. The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files). -Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself. +Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display a summary and the date and time of the latest available results. -The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message. +The deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will display a brief message. Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. -Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. +Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
        +
        ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] -**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis. +**Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis. > [!NOTE] > Only files from Windows 10 can be automatically collected. -You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available. +You can also submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available. > [!NOTE] -> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP. +> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint. -When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. +When the sample is collected, Defender for Endpoint runs the file in a secure environment. It then creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. -**Submit files for deep analysis:** +### Submit files for deep analysis 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: - - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline - - **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section + - Alerts - select the file links from the **Description** or **Details** in the Artifact timeline + - **Devices list** - select the file links from the **Description** or **Details** in the **Device in organization** section - Search box - select **File** from the drop–down menu and enter the file name -2. In the **Deep analysis** tab of the file view, click **Submit**. +2. In the **Deep analysis** tab of the file view, select **Submit**. - ![You can only submit PE files in the file details section](images/submit-file.png) + ![You can only submit PE files in the file details section](images/submit-file.png) ->**Note**  Only PE files are supported, including _.exe_ and _.dll_ files + > [!NOTE] + > Only PE files are supported, including _.exe_ and _.dll_ files. A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. > [!NOTE] > Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file. -**View deep analysis reports** +### View deep analysis reports -View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. +View the provided deep analysis report to see more in-depth insights on the file you submitted. This feature is available in the file view context. You can view the comprehensive report that provides details on the following sections: @@ -261,18 +266,18 @@ The details provided can help you investigate if there are indications of a pote 1. Select the file you submitted for deep analysis. 2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab. - ![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing.png) + ![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing500.png) -**Troubleshoot deep analysis** +#### Troubleshoot deep analysis -If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. +If you come across a problem when trying to submit a file, try each of the following troubleshooting steps. 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). -1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. -1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. -1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: +2. Ensure the service has access to the file, that it still exists, and hasn't been corrupted or modified. +3. Wait a short while and try to submit the file again. The queue may be full, or there was a temporary connection or communication error. +4. If the sample collection policy isn't configured, then the default behavior is to allow sample collection. If it's configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - ```Powershell + ```powershell Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD @@ -282,6 +287,7 @@ If you encounter a problem when trying to submit a file, try each of the followi ``` 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). + 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 89647f9832..45004c7b04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -4,7 +4,7 @@ description: Take response actions on a device such as isolating devices, collec keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Take response actions on a device [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center. @@ -128,7 +128,7 @@ One you have selected **Run antivirus scan**, select the scan type that you'd li The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan. >[!NOTE] ->When triggering a scan using Microsoft Defender ATP response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.
        +>When triggering a scan using Defender for Endpoint response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.
        >If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.
        >For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus). @@ -163,7 +163,7 @@ Depending on the severity of the attack and the sensitivity of the device, you m >- Full isolation is available for devices on Windows 10, version 1703. >- Selective isolation is available for devices on Windows 10, version 1709 or later. -This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device. +This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation'). @@ -175,7 +175,7 @@ Once you have selected **Isolate device** on the device page, type a comment and ![Image of isolate device](images/isolate-device.png) >[!NOTE] ->The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. +>The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. **Notification on device user**:
        When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network: diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index 7b9e53a6e8..fac76273f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -3,7 +3,7 @@ title: Restrict app execution API description: Use this API to create calls related to restricting an application from executing. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,27 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Restrict app execution API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -37,7 +46,7 @@ Restrict execution of all applications on the device except a predefined set. [!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -51,7 +60,7 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution +POST https://api.securitycenter.microsoft.com/api/machines/{id}/restrictCodeExecution ``` ## Request headers @@ -78,14 +87,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution ``` -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution -Content-type: application/json + +```json { "Comment": "Restrict code execution due to alert 1234" } ``` -- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). - +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md index 7188c9c212..3c45e7a6ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md @@ -2,50 +2,52 @@ title: Review alerts in Microsoft Defender Advanced Threat Protection description: Review alert information, including a visualized alert story and details for each step of the chain. keywords: incident, incidents, machines, devices, users, alerts, alert, investigation, graph, evidence -ms.prod: microsoft-365-enterprise +ms.prod: m365-security ms.pagetype: security -f1.keywords: -- NOCSH +f1.keywords: + - NOCSH ms.author: daniha -author: danihalfin +author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ms.date: 5/1/2020 +ms.technology: mde --- -# Review alerts in Microsoft Defender Advanced Threat Protection +# Review alerts in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) +The alert page in Microsoft Defender for Endpoint provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story. -The new alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story. +Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview. -Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4yiO5] ## Getting started with an alert -Clicking on an alert's name in Microsoft Defender ATP will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections: +Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections: 1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page. 2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions. -3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. -4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object. +3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts). +4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object. ![An alert page when you first land on it](images/alert-landing-view.png) -Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Microsoft Defender ATP. -Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions. +Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint. +Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions. ![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png) @@ -53,50 +55,13 @@ Other information available in the details pane when the alert opens includes MI ## Review affected assets -Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane. +Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane. - **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view. -- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view. +- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view. ![A snippet of the details pane when a device is selected](images/alert-device-details.png) -## Investigate using the alert story - -The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities. - -Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first. - -Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus. - -> [!NOTE] -> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected. - -![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png) - -## Take action from the details pane - -Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page. - -Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts. - -If you classify it as a true alert, you can also select a determination, as shown in the image below. - -![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png) - -If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future. - -![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png) - -> [!TIP] -> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket. - -## Transitioning to the new alert page - -When making the move to the new alert page you will notice that we have centralized information from the alert process tree, the incident graph, and the artifact timeline into the [alert story](#investigate-using-the-alert-story), with some information available through the [affected assets](#review-affected-assets) section. Any additional information has been consolidated into the details pane for the relevant entities. - -## Video overview of the new alert page - -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5] ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 91772a215f..e50d7962b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting API @@ -22,21 +23,25 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## Limitations 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 15 calls per minute - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day + - API calls: Up to 45 calls per minute. + - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. -5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. +5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -50,7 +55,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/advancedqueries/run +POST https://api.securitycenter.microsoft.com/api/advancedqueries/run ``` ## Request headers @@ -77,12 +82,11 @@ Request Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - +```http +POST https://api.securitycenter.microsoft.com/api/advancedqueries/run ``` -POST https://api.securitycenter.windows.com/api/advancedqueries/run -Content-type: application/json + +```json { "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' @@ -137,6 +141,6 @@ Here is an example of the response. ``` ## Related topic -- [Microsoft Defender ATP APIs introduction](apis-intro.md) +- [Microsoft Defender for Endpoint APIs introduction](apis-intro.md) - [Advanced Hunting from Portal](advanced-hunting-query-language.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index dfb227ec23..672ca68dd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using PowerShell. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,16 +13,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced Hunting using PowerShell [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). @@ -51,8 +57,8 @@ $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID he $appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here $appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here -$resourceAppIdUri = 'https://api.securitycenter.windows.com' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$resourceAppIdUri = 'https://api.securitycenter.microsoft.com' +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $body = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -65,7 +71,7 @@ $aadToken = $response.access_token where - $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant) -- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) +- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Defender for Endpoint) - $appSecret: Secret of your Azure AD app ## Run query @@ -75,7 +81,7 @@ Run the following query: ``` $query = 'RegistryEvents | limit 10' # Paste your own query here -$url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +$url = "https://api.securitycenter.microsoft.com/api/advancedqueries/run" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' @@ -117,6 +123,6 @@ $results | ConvertTo-Json | Set-Content file1.json ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index 55f4d1ec1b..f8160dceca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced Hunting using Python [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -**Applies to:** +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). @@ -46,9 +51,9 @@ tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID her appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here -url = "https://login.windows.net/%s/oauth2/token" % (tenantId) +url = "https://login.microsoftonline.com/%s/oauth2/token" % (tenantId) -resourceAppIdUri = 'https://api.securitycenter.windows.com' +resourceAppIdUri = 'https://api.securitycenter.microsoft.com' body = { 'resource' : resourceAppIdUri, @@ -68,7 +73,7 @@ aadToken = jsonResponse["access_token"] where - tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant) -- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) +- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint) - appSecret: Secret of your Azure AD app ## Run query @@ -78,7 +83,7 @@ where ``` query = 'RegistryEvents | limit 10' # Paste your own query here -url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +url = "https://api.securitycenter.microsoft.com/api/advancedqueries/run" headers = { 'Content-Type' : 'application/json', 'Accept' : 'application/json', @@ -147,6 +152,6 @@ outputFile.close() ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index ac66c55986..391ed99e1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -3,7 +3,7 @@ title: Run antivirus scan API description: Use this API to create calls related to running an antivirus scan on a device. keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Run antivirus scan API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Initiate Microsoft Defender Antivirus scan on a device. @@ -37,7 +40,7 @@ Initiate Microsoft Defender Antivirus scan on a device. [!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -51,7 +54,7 @@ Delegated (work or school account) | Machine.Scan | 'Scan machine' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan +POST https://api.securitycenter.microsoft.com/api/machines/{id}/runAntiVirusScan ``` ## Request headers @@ -86,12 +89,14 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan ``` -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan -Content-type: application/json + +```json { "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” + "ScanType": "Full" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 21efcfa495..e4acca12b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -4,7 +4,7 @@ description: Run the detection script on a newly onboarded device to verify that keywords: detection test, detection, powershell, script, verify, onboarding, microsoft defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,12 +14,13 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- -# Run a detection test on a newly onboarded Microsoft Defender ATP device +# Run a detection test on a newly onboarded Microsoft Defender for Endpoint device [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -30,10 +31,12 @@ ms.topic: article - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service. +Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service. 1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the device and run the script: @@ -55,4 +58,4 @@ The Command Prompt window will close automatically. If successful, the detection ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding) diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md index e0d37c9adc..99c8566590 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/score.md @@ -3,7 +3,7 @@ title: Score methods and properties description: Retrieves your organization's exposure score, device secure score, and exposure score by device group keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Score resource type @@ -21,9 +22,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index c564eb22ec..fae7709749 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -4,7 +4,7 @@ description: Use the dashboard to identify devices at risk, keep track of the st keywords: dashboard, alerts, new, in progress, resolved, risk, devices at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender Security Center Security operations dashboard @@ -23,9 +24,9 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. @@ -59,7 +60,7 @@ Each group is further sub-categorized into their corresponding alert severity le For more information see, [Alerts overview](alerts-queue.md). -Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md). +Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md). ## Devices at risk @@ -69,16 +70,16 @@ This tile shows you a list of devices with the highest number of active alerts. Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md). -You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md). +You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md). ## Devices with sensor issues -The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices. +The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices. ![Devices with sensor issues tile](images/atp-tile-sensor-health.png) There are two status indicators that provide information on the number of devices that are not reporting properly to the service: -- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. +- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender for Endpoint service and might have configuration errors that need to be corrected. +- **Inactive** - Devices that have stopped reporting to the Microsoft Defender for Endpoint service for more than seven days in the past month. When you click any of the groups, you’ll be directed to devices list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate devices](investigate-machines.md). @@ -87,7 +88,7 @@ The **Service health** tile informs you if the service is active or if there are ![The Service health tile shows an overall indicator of the service](images/status-tile.png) -For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status.md). +For more information on the service health, see [Check the Microsoft Defender for Endpoint service health](service-status.md). ## Daily devices reporting @@ -116,10 +117,10 @@ The tile shows you a list of user accounts with the most active alerts and the n Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) ## Related topics -- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) +- [Understand the Microsoft Defender for Endpoint portal](use.md) - [Portal overview](portal-overview.md) - [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md index 1373591e5d..c0c35a7e8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md @@ -4,7 +4,7 @@ description: Check Microsoft Defender ATP service health, see if the service is keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,23 +13,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Check the Microsoft Defender Advanced Threat Protection service health +# Check the Microsoft Defender for Endpoint service health [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) -**Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. +**Service health** provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. @@ -41,7 +42,7 @@ The **Service health** details page has the following tabs: - **Status history** ## Current status -The **Current status** tab shows the current state of the Microsoft Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: +The **Current status** tab shows the current state of the Defender for Endpoint service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: - Date and time for when the issue was detected - A short description of the issue diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index eb081b2ce2..366f94269c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -3,7 +3,7 @@ title: Set device value API description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API. keywords: apis, graph api, supported apis, tags, machine tags search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,27 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Set device value API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -39,7 +48,7 @@ See [assign device values](tvm-assign-device-value.md) for more information. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -67,12 +76,28 @@ Content-Type | string | application/json. **Required**. ## Request body -```json -{ - "DeviceValue": "{device value}" -} -``` +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**. ## Response If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue +``` + +```json +{ + "DeviceValue" : "High" +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md index bdd977b76d..d158ad400f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/software.md @@ -3,7 +3,7 @@ title: Software methods and properties description: Retrieves top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,27 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Software resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 1d98b043e9..f39ff29d54 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -3,7 +3,7 @@ title: Stop and quarantine file API description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example. keywords: apis, graph api, supported apis, stop and quarantine file search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Stop and quarantine file API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -37,7 +41,7 @@ Stop execution of a file on a device and delete it. [!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -51,7 +55,7 @@ Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quara ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile +POST https://api.securitycenter.microsoft.com/api/machines/{id}/StopAndQuarantineFile ``` ## Request headers @@ -79,9 +83,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile ``` -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile -Content-type: application/json + +```json { "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md deleted file mode 100644 index 0ad991db3c..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Supported Microsoft Defender Advanced Threat Protection response APIs -description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls. -keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Supported Microsoft Defender ATP query APIs - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) - -Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. - -## In this section -Topic | Description -:---|:--- -Collect investigation package | Run this API to collect an investigation package from a device. -Isolate device | Run this API to isolate a device from the network. -Unisolate device | Remove a device from isolation. -Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. -Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. -Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. -Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. -Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. -Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. -Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. -Get package SAS URI | Run this API to get a URI that allows downloading an investigation package. -Get MachineAction object | Run this API to get MachineAction object. -Get MachineActions collection | Run this to get MachineAction collection. -Get FileActions collection | Run this API to get FileActions collection. -Get FileMachineAction object | Run this API to get FileMachineAction object. -Get FileMachineActions collection | Run this API to get FileMachineAction collection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md index c9b60c2b17..9e6acab8df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md @@ -4,7 +4,7 @@ description: Make the switch to Microsoft Defender for Endpoint. Read this artic keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,18 +14,23 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp -- m365solution-overview + - M365-security-compliance + - m365solution-migratetomdatp + - m365solution-overview ms.topic: conceptual ms.custom: migrationguides -ms.date: 09/24/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +ms.technology: mde --- # Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint -If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), and you're looking for help, you're in the right place. Use this article as a guide to plan your migration. +If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint), you're in the right place. Use this article as a guide. + +:::image type="content" source="images/nonms-mde-migration.png" alt-text="Overview of migrating to Defender for Endpoint"::: + +When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove the non-Microsoft solution. > [!TIP] > - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md). @@ -35,11 +40,13 @@ If you are planning to switch from a non-Microsoft endpoint protection solution When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table: +![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png) + |Phase |Description | |--|--| -|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. | -|[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)
        [Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| -|[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. | +|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. | +|[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| +|[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. | ## What's included in Microsoft Defender for Endpoint? diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md index 4852139083..750fbb2666 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md @@ -4,8 +4,8 @@ description: This is phase 3, Onboard, for migrating from a non-Microsoft soluti keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,17 +15,25 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp + - M365-security-compliance + - m365solution-migratetomdatp ms.custom: migrationguides ms.topic: article -ms.date: 09/24/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- # Switch to Microsoft Defender for Endpoint - Phase 3: Onboard -|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)
        [Phase 2: Set up](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/onboard.png)
        Phase 3: Onboard | +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare2](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)
        [Phase 2: Set up2](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard1](images/onboard.png)
        Phase 3: Onboard | +|[![Phase 1: Prepare3](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare4](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up2](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)
        [Phase 2: Set up](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard2](images/phase-diagrams/onboard.png)
        Phase 3: Onboard | + |--|--|--| || |*You are here!* | @@ -40,11 +48,8 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho ## Onboard devices to Microsoft Defender for Endpoint 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. - 2. Choose **Settings** > **Device management** > **Onboarding**. - 3. In the **Select operating system to start onboarding process** list, select an operating system. - 4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article). ### Onboarding methods @@ -63,7 +68,6 @@ Deployment methods vary, depending on which operating system is selected. Refer To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test. - |Operating system |Guidance | |---------|---------| |- Windows 10
        - Windows Server 2019
        - Windows Server, version 1803
        - Windows Server 2016
        - Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

        Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md index 5896bc9f4e..dcc7c80896 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md @@ -4,8 +4,8 @@ description: This is phase 1, Prepare, for migrating to Microsoft Defender for E keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,17 +15,25 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp + - M365-security-compliance + - m365solution-migratetomdatp ms.topic: article ms.custom: migrationguides -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- # Switch to Microsoft Defender for Endpoint - Phase 1: Prepare -|![Phase 1: Prepare](images/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)
        [Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) | +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +|![Phase 1: Prepare](images/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)
        [Phase 2: Set up2](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard2](switch-to-microsoft-defender-onboard.md) | +|![Phase 1: Prepare2](images/phase-diagrams/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up3](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)
        [Phase 2: Set up4](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard3](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard4](switch-to-microsoft-defender-onboard.md) | + |--|--|--| |*You are here!*| | | @@ -65,11 +73,8 @@ Need help updating your organization's devices? See the following resources: Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned. 1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp). - 2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). - 3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). - 4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). @@ -84,14 +89,11 @@ The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. 1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). - 2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). - If your organization requires a method other than Intune, choose one of the following options: - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) - 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). ## Configure device proxy and internet connectivity settings @@ -100,12 +102,12 @@ To enable communication between your devices and Microsoft Defender for Endpoint |Capabilities | Operating System | Resources | |--|--|--| -|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | -|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
        - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
        | -|Antivirus |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|Antivirus |Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
        - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
        | +|Antivirus |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | ## Next step diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index b8c66898af..629394aa04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -4,8 +4,8 @@ description: This is phase 2, Setup, for switching to Microsoft Defender for End keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,17 +15,24 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp + - M365-security-compliance + - m365solution-migratetomdatp ms.topic: article ms.custom: migrationguides -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- # Switch to Microsoft Defender for Endpoint - Phase 2: Setup -|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) | +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +|[![Phase 1: Prepare1](images/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare2](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard1](images/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard2](switch-to-microsoft-defender-onboard.md) | +|[![Phase 1: Prepare3](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)
        [Phase 1: Prepare4](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up2](images/phase-diagrams/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard3](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)
        [Phase 3: Onboard4](switch-to-microsoft-defender-onboard.md) | |--|--|--| ||*You are here!* | | @@ -55,17 +62,11 @@ This step of the migration process includes the following tasks: The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false: 1. On your Windows Server device, open Registry Editor. - 2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`. - 3. In that folder, look for a DWORD entry called **DisableAntiSpyware**. - - If you do not see that entry, you're all set. - - If you do see **DisableAntiSpyware**, proceed to step 4. - 4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**. - 5. Set the value to `0`. (This sets the registry key's value to *false*.) > [!TIP] @@ -80,19 +81,19 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d > - Windows Server 2016 1. As a local administrator on the endpoint or device, open Windows PowerShell. - -2. Run the following PowerShell cmdlets:
        - +2. Run the following PowerShell cmdlets:
        `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
        - `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
        - + > [!NOTE] + > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. + > Example:
        + > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
        + > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
        3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
        - `Get-Service -Name windefend` > [!TIP] -> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). +> Need help? See [Microsoft Defender Antivirus on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). ### Set Microsoft Defender Antivirus to passive mode on Windows Server @@ -100,11 +101,8 @@ Because your organization is still using your existing endpoint protection solut 1. Open Registry Editor, and then navigate to
        `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. - 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - - Set the DWORD's value to **1**. - - Under **Base**, select **Hexadecimal**. > [!NOTE] @@ -121,9 +119,9 @@ To enable Microsoft Defender Antivirus, we recommend using Intune. However, you |Method |What to do | |---------|---------| -|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

        2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
        If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).

        3. Select **Properties**, and then select **Configuration settings: Edit**.

        4. Expand **Microsoft Defender Antivirus**.

        5. Enable **Cloud-delivered protection**.

        6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.

        7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.

        8. Select **Review + save**, and then choose **Save**.

        For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| -|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).

        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | -|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
        or
        [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.

        2. Look for a policy called **Turn off Microsoft Defender Antivirus**.

        3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.

        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
        2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
        3. Select **Properties**, and then select **Configuration settings: Edit**.
        4. Expand **Microsoft Defender Antivirus**.
        5. Enable **Cloud-delivered protection**.
        6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
        7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
        8. Select **Review + save**, and then choose **Save**.
        **TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
        or
        [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
        2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
        3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | ### Confirm that Microsoft Defender Antivirus is in passive mode @@ -131,8 +129,8 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection |Method |What to do | |---------|---------| -|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

        2. Type `sc query windefend`, and then press Enter.

        3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

        2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

        3. In the list of results, look for **AntivirusEnabled: True**. | +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
        2. Type `sc query windefend`, and then press Enter.
        3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
        2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
        3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. | > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. @@ -158,8 +156,8 @@ The specific exclusions to configure depend on which version of Windows your end |OS |Exclusions | |--|--| -|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
        - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
        | -|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

        **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

        `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
        - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
        | +|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
        **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
        `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | ## Add your existing solution to the exclusion list for Microsoft Defender Antivirus @@ -175,33 +173,27 @@ You can choose from several methods to add your exclusions to Microsoft Defender |Method | What to do| |--|--| -|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

        2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.

        3. Under **Manage**, select **Properties**.

        4. Select **Configuration settings: Edit**.

        5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.

        6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).

        7. Choose **Review + save**, and then choose **Save**. | -|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.

        2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | -|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

        2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

        3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

        4. Double-click the **Path Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Specify each folder on its own line under the **Value name** column.
        - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.

        5. Click **OK**.

        6. Double-click the **Extension Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.

        7. Click **OK**. | -|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.

        2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

        3. Specify your path and process exclusions. | -|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.

        2. Import the registry key. Here are two examples:
        - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
        - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
        2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
        3. Under **Manage**, select **Properties**.
        4. Select **Configuration settings: Edit**.
        5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
        6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
        7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
        2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
        2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
        3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
        4. Double-click the **Path Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Specify each folder on its own line under the **Value name** column.
        - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
        5. Click **OK**.
        6. Double-click the **Extension Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
        7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
        2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
        3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
        2. Import the registry key. Here are two examples:
        - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
        - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | ## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. - 2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. - 3. On the **File hashes** tab, choose **Add indicator**. - -3. On the **Indicator** tab, specify the following settings: +4. On the **Indicator** tab, specify the following settings: - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) - Under **Expires on (UTC)**, choose **Never**. - -4. On the **Action** tab, specify the following settings: +5. On the **Action** tab, specify the following settings: - **Response Action**: **Allow** - Title and description - -5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. - -6. On the **Summary** tab, review the settings, and then click **Save**. +6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. +7. On the **Summary** tab, review the settings, and then click **Save**. ### Find a file hash using CMPivot @@ -210,38 +202,32 @@ CMPivot is an in-console utility for Configuration Manager. CMPivot provides acc To use CMPivot to get your file hash, follow these steps: 1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). - 2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). - 3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). - 4. Select the **Query** tab. - 5. In the **Device Collection** list, and choose **All Systems (default)**. - 6. In the query box, type the following query:
        -```kusto -File(c:\\windows\\notepad.exe) -| project Hash -``` -> [!NOTE] -> In the query above, replace *notepad.exe* with the your third-party security product process name. + ```kusto + File(c:\\windows\\notepad.exe) + | project Hash + ``` + + > [!NOTE] + > In the query above, replace *notepad.exe* with the your third-party security product process name. ## Set up your device groups, device collections, and organizational units | Collection type | What to do | |--|--| -|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

        Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

        Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).

        2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.

        3. Choose **+ Add device group**.

        4. Specify a name and description for the device group.

        5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

        6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).

        7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.

        8. Choose **Done**. | -|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

        Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | -|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

        Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
        Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
        Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
        2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
        3. Choose **+ Add device group**.
        4. Specify a name and description for the device group.
        5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
        6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
        7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
        8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
        Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
        Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | ## Configure antimalware policies and real-time protection Using Configuration Manager and your device collection(s), configure your antimalware policies. - - See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). - - While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). > [!TIP] diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md index 371f380e63..a3decded8f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md @@ -4,8 +4,8 @@ description: Get an overview of how to make the switch from Symantec to Microsof keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,31 +15,39 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate -- m365solution-overview + - M365-security-compliance + - m365solution-symantecmigrate + - m365solution-overview ms.topic: conceptual -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec to Microsoft Defender for Endpoint +If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide. + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +:::image type="content" source="images/symantec-mde-migration.png" alt-text="Overview of migrating from Symantec to Defender for Endpoint"::: - -If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), you're in the right place. Use this article as a guide to plan your migration. +When you make the switch from Symantec to Defender for Endpoint, you begin with your Symantec solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove Symantec. ## The migration process When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table: +![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png) + |Phase |Description | |--|--| -|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
        [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. | -|[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
        [Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| -|[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
        [Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. | +|[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. | +|[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| +|[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. | ## What's included in Microsoft Defender for Endpoint? diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md index 38143cfd5f..0b8c881393 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -4,8 +4,8 @@ description: This is Phase 3, Onboarding, of migrating from Symantec to Microsof keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,20 +15,26 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate + - M365-security-compliance + - m365solution-symantecmigrate ms.topic: article -ms.date: 09/24/2020 +ms.date: 02/11/2021 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
        [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
        [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/onboard.png)
        Phase 3: Onboard | +|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
        [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
        [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)
        Phase 3: Onboard | |--|--|--| || |*You are here!* | @@ -43,11 +49,8 @@ ms.reviewer: depicker, yongrhee, chriggs ## Onboard devices to Microsoft Defender for Endpoint 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. - 2. Choose **Settings** > **Device management** > **Onboarding**. - 3. In the **Select operating system to start onboarding process** list, select an operating system. - 4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article). ### Onboarding methods @@ -66,24 +69,22 @@ Deployment methods vary, depending on which operating system is selected. Refer To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test. - |Operating system |Guidance | |---------|---------| -|- Windows 10
        - Windows Server 2019
        - Windows Server, version 1803
        - Windows Server 2016
        - Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

        Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|- Windows 10
        - Windows Server 2019
        - Windows Server, version 1803
        - Windows Server 2016
        - Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

        Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | |macOS
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

        For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | -|Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
        `mdatp health --field real_time_protection_enabled`.

        2. Open a Terminal window, and run the following command:
        `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

        3. Run the following command to list any detected threats:
        `mdatp threat list`.

        For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | +|Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
        `mdatp health --field real_time_protection_enabled`.

        2. Open a Terminal window, and run the following command:
        `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

        3. Run the following command to list any detected threats:
        `mdatp threat list`.

        For more information, see [Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | ## Uninstall Symantec Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec. 1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec. - -2. Delete the uninstall password for Symantec: +2. Delete the uninstall password for Symantec:
        1. On your Windows devices, open Registry Editor as an administrator. 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`. - 3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**. - + 3. Look for an entry named **SmcInstData**. + 4. Right-click the item, and then choose **Delete**. 3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources: - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html) - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040) @@ -102,7 +103,5 @@ To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([http ## Next steps **Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! - - [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). - - [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md index cc678c90eb..4195304f83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -4,8 +4,8 @@ description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft D keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,20 +15,26 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate + - M365-security-compliance + - m365solution-symantecmigrate ms.topic: article -ms.date: 09/22/2020 +ms.date: 02/11/2021 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 1: Prepare for your migration +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -|![Phase 1: Prepare](images/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
        [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
        [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) | +|![Phase 1: Prepare](images/phase-diagrams/prepare.png)
        Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
        [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
        [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) | |--|--|--| |*You are here!*| | | @@ -45,11 +51,8 @@ This migration phase includes the following steps: To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned. 1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp). - 2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). - 3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). - 4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). @@ -64,14 +67,11 @@ The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. 1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). - -2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). - - If your organization requires a method other than Intune, choose one of the following options: +2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
        + If your organization requires a method other than Intune, choose one of the following options: - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) - 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). ## Configure device proxy and internet connectivity settings @@ -80,15 +80,14 @@ To enable communication between your devices and Microsoft Defender for Endpoint |Capabilities | Operating System | Resources | |:----|:----|:---| -|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | -|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
        - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
        | -|Antivirus |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|Antivirus |Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
        - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
        | +|Antivirus |macOS:
        - 10.15 (Catalina)
        - 10.14 (Mojave)
        - 10.13 (High Sierra) |[Microsoft -Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
        - RHEL 7.2+
        - CentOS Linux 7.2+
        - Ubuntu 16 LTS, or higher LTS
        - SLES 12+
        - Debian 9+
        - Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | ## Next step **Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! - - [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index f36e72d95c..cb27f632be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -4,8 +4,8 @@ description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Def keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,20 +15,26 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate + - M365-security-compliance + - m365solution-symantecmigrate ms.topic: article -ms.date: 09/24/2020 +ms.date: 02/11/2021 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
        [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
        [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) | +|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
        [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)
        Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
        [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) | |--|--|--| ||*You are here!* | | @@ -63,11 +69,15 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll > Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). 1. As a local administrator on the endpoint or device, open Windows PowerShell. - -2. Run the following PowerShell cmdlets:
        +2. Run the following PowerShell cmdlets: `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
        - `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
        + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` + > [!NOTE] + > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. + > Example:
        + > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
        + > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
        3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
        `Get-Service -Name windefend` @@ -80,7 +90,6 @@ Because your organization is still using Symantec, you must set Microsoft Defend 1. Open Registry Editor, and then navigate to
        `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. - 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. @@ -99,9 +108,9 @@ To enable Microsoft Defender Antivirus, we recommend using Intune. However, you |Method |What to do | |---------|---------| -|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

        2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).

        3. Select **Properties**, and then select **Configuration settings: Edit**.

        4. Expand **Microsoft Defender Antivirus**.

        5. Enable **Cloud-delivered protection**.

        6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.

        7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.

        8. Select **Review + save**, and then choose **Save**.

        For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| -|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).

        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | -|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
        or
        [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.

        2. Look for a policy called **Turn off Microsoft Defender Antivirus**.

        3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.

        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
        2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
        3. Select **Properties**, and then select **Configuration settings: Edit**.
        4. Expand **Microsoft Defender Antivirus**.
        5. Enable **Cloud-delivered protection**.
        6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
        7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
        8. Select **Review + save**, and then choose **Save**.
        For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
        or
        [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
        2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
        3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | ### Verify that Microsoft Defender Antivirus is in passive mode @@ -109,8 +118,8 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def |Method |What to do | |---------|---------| -|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

        2. Type `sc query windefend`, and then press Enter.

        3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

        2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

        3. In the list of results, look for **AntivirusEnabled: True**. | +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
        2. Type `sc query windefend`, and then press Enter.
        3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
        2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
        3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. @@ -131,8 +140,8 @@ This step of the setup process involves adding Microsoft Defender for Endpoint t |OS |Exclusions | |--|--| -|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
        - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
        | -|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

        **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

        `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

        `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
        - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
        - [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
        - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
        `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
        | +|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
        - [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
        - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
        - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
        **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
        `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
        `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | ## Add Symantec to the exclusion list for Microsoft Defender Antivirus @@ -151,33 +160,27 @@ You can choose from several methods to add your exclusions to Microsoft Defender |Method | What to do| |--|--| -|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

        2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.

        3. Under **Manage**, select **Properties**.

        4. Select **Configuration settings: Edit**.

        5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.

        6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).

        7. Choose **Review + save**, and then choose **Save**. | -|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.

        2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | -|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

        2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

        3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

        4. Double-click the **Path Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Specify each folder on its own line under the **Value name** column.
        - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.

        5. Click **OK**.

        6. Double-click the **Extension Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.

        7. Click **OK**. | -|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.

        2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

        3. Specify your path and process exclusions. | -|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.

        2. Import the registry key. Here are two examples:
        - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
        - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
        **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
        2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
        3. Under **Manage**, select **Properties**.
        4. Select **Configuration settings: Edit**.
        5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
        6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
        7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
        2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
        2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
        3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
        4. Double-click the **Path Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Specify each folder on its own line under the **Value name** column.
        - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
        5. Click **OK**.
        6. Double-click the **Extension Exclusions** setting and add the exclusions.
        - Set the option to **Enabled**.
        - Under the **Options** section, click **Show...**.
        - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
        7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
        2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
        **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
        3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
        2. Import the registry key. Here are two examples:
        - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
        - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | ## Add Symantec to the exclusion list for Microsoft Defender for Endpoint To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. - 2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. - 3. On the **File hashes** tab, choose **Add indicator**. - -3. On the **Indicator** tab, specify the following settings: +4. On the **Indicator** tab, specify the following settings: - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) - Under **Expires on (UTC)**, choose **Never**. - -4. On the **Action** tab, specify the following settings: +5. On the **Action** tab, specify the following settings: - **Response Action**: **Allow** - Title and description - -5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. - -6. On the **Summary** tab, review the settings, and then click **Save**. +6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. +7. On the **Summary** tab, review the settings, and then click **Save**. ### Find a file hash using CMPivot @@ -186,38 +189,33 @@ CMPivot is an in-console utility for Configuration Manager. CMPivot provides acc To use CMPivot to get your file hash, follow these steps: 1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). - 2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). - 3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). - 4. Select the **Query** tab. - 5. In the **Device Collection** list, and choose **All Systems (default)**. - 6. In the query box, type the following query:
        - -```kusto -File(c:\\windows\\notepad.exe) -| project Hash -``` -> [!NOTE] -> In the query above, replace *notepad.exe* with the your third-party security product process name. + ```kusto + File(c:\\windows\\notepad.exe) + | project Hash + ``` + + > [!NOTE] + > In the query above, replace *notepad.exe* with the your third-party security product process name. + ## Set up your device groups, device collections, and organizational units | Collection type | What to do | |--|--| -|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

        Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

        Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).

        2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.

        3. Choose **+ Add device group**.

        4. Specify a name and description for the device group.

        5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

        6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).

        7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.

        8. Choose **Done**. | -|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

        Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | -|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

        Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
        Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
        Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
        2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
        3. Choose **+ Add device group**.
        4. Specify a name and description for the device group.
        5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
        6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
        7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
        8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
        Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
        Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | ## Configure antimalware policies and real-time protection Using Configuration Manager and your device collection(s), configure your antimalware policies. - See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). - - While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). > [!TIP] @@ -226,5 +224,4 @@ Using Configuration Manager and your device collection(s), configure your antima ## Next step **Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! - - [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md new file mode 100644 index 0000000000..b4ba69661f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md @@ -0,0 +1,98 @@ +--- +title: Techniques in the device timeline +description: Understanding the device timeline in Microsoft Defender for Endpoint +keywords: device timeline, endpoint, MITRE, MITRE ATT&CK, techniques, tactics +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: maccruz +author: schmurky +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Techniques in the device timeline + + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + + +You can gain more insight in an investigation by analyzing the events that happened on a specific device. First, select the device of interest from the [Devices list](machines-view-overview.md). On the device page, you can select the **Timeline** tab to view all the events that occurred on the device. + +## Understand techniques in the timeline + +>[!IMPORTANT] +>Some information relates to a prereleased product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +In Microsoft Defender for Endpoint, **Techniques** are an additional data type in the event timeline. Techniques provide more insight on activities associated with [MITRE ATT&CK](https://attack.mitre.org/) techniques or sub-techniques. + +This feature simplifies the investigation experience by helping analysts understand the activities that were observed on a device. Analysts can then decide to investigate further. + +For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed. + +![Techniques in device timeline screenshot](images/device-timeline-with-techniques.png) + +Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information. + +Search and Export options are also available for Techniques. + +## Investigate using the side pane + +Select a Technique to open its corresponding side pane. Here you can see additional information and insights like related ATT&CK techniques, tactics, and descriptions. + +Select the specific *Attack technique* to open the related ATT&CK technique page where you can find more information about it. + +You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon. + +![Copy entity details](images/techniques-side-pane-clickable.png) + +You can do the same for command lines. + +![Copy command line](images/techniques-side-pane-command.png) + + +## Investigate related events + +To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. + +![Hunt for related events](images/techniques-hunt-for-related-events.png) + +>[!NOTE] +>Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. + + +## Customize your device timeline + +On the upper right-hand side of the device timeline, you can choose a date range to limit the number of events and techniques in the timeline. + +You can customize which columns to expose. You can also filter for flagged events by data type or by event group. + +### Choose columns to expose +You can choose which columns to expose in the timeline by selecting the **Choose columns** button. + +![Customize columns](images/filter-customize-columns.png) + +From there you can select which information set to include. + +### Filter to view techniques or events only + +To view only either events or techniques, select **Filters** from the device timeline and choose your preferred Data type to view. + +![Filters screenshot](images/device-timeline-filters.png) + + + +## See also +- [View and organize the Devices list](machines-view-overview.md) +- [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md) + + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md new file mode 100644 index 0000000000..ef1e4801c8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md @@ -0,0 +1,90 @@ +--- +title: Understand the analyst report section in threat analytics +ms.reviewer: +description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more. +keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Understand the analyst report in threat analytics + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab. + +![Image of the analyst report section of a threat analytics report](images/ta-analyst-report-small.png) + +_Analyst report section of a threat analytics report_ + +## Scan the analyst report +Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table. + +| Report section | Description | +|--|--| +| Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. | +| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface | +| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) | +| [Mitigations](#apply-additional-mitigations) | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren't tracked dynamically as part of the threat analytics report. | +| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. | +| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. | +| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. | +| Change log | The time the report was published and when significant changes were made to the report. | + +## Apply additional mitigations +Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Mitigations** tab. + +In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked: + +- Block emails with _.lnk_ attachments or other suspicious file types +- Randomize local administrator passwords +- Educate end users about phishing email and other threat vectors +- Turn on specific [attack surface reduction rules](attack-surface-reduction.md) + +While you can use the **Mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible. + +## Understand how each threat can be detected +The analyst report also provides the detections from Microsoft Defender for Endpoint antivirus and _endpoint detection and response_ (EDR) capabilities. + +### Antivirus detections +These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report. + +>[!NOTE] +>The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts. + +### Endpoint detection and response (EDR) alerts +EDR alerts are raised for [devices onboarded to Microsoft Defender for Endpoint](onboard-configure.md). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilities—such as antivirus, network protection, tamper protection—that serve as powerful signal sources. + +Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as "generic" and that it doesn't influence any of the charts in the report. + +## Find subtle threat artifacts using advanced hunting +While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that can also be normal, so detecting them dynamically can result in operational noise or even false positives. + +[Advanced hunting](advanced-hunting-overview.md) provides a query interface based on Kusto Query Language that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information and verify whether indicators are connected to a threat. + +Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://securitycenter.windows.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches. + + +## Related topics +- [Threat analytics overview](threat-analytics.md) +- [Proactively find threats with advanced hunting](advanced-hunting-overview.md) +- [Custom detection rules](custom-detection-rules.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index 7736f20b59..1e5cfd7dc1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -2,10 +2,10 @@ title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics ms.reviewer: description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience. -keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status +keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Track and respond to emerging threats with threat analytics @@ -25,7 +26,10 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly: @@ -41,7 +45,7 @@ Threat analytics is a set of reports from expert Microsoft security researchers - Common attack surfaces - Prevalent malware -Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place. +Each report provides a detailed analysis of a threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place. Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.

        @@ -54,7 +58,7 @@ The threat analytics dashboard is a great jump off point for getting to the repo - **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts. - **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts. -- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts. +- **Threat summary**—shows the overall impact of tracked threats by showing the number of threats with active and resolved alerts. Select a threat from the dashboard to view the report for that threat. @@ -64,38 +68,43 @@ Select a threat from the dashboard to view the report for that threat. Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**. -### Quickly understand a threat and assess its impact to your network in the overview +### Overview: Quickly understand the threat, assess its impact, and review defenses The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices. ![Image of the overview section of a threat analytics report](images/ta-overview.png) _Overview section of a threat analytics report_ -#### Organizational impact +#### Assess the impact to your organization Each report includes charts designed to provide information about the organizational impact of a threat: - **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved. - **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. -#### Organizational resilience and exposure +#### Review security resilience and posture Each report includes charts that provide an overview of how resilient your organization is against a given threat: - **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings. - **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat. -### Get expert insight from the analyst report +### Analyst report: Get expert insight from Microsoft security researchers Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance. -![Image of the analyst report section of a threat analytics report](images/ta-analyst-report.png) -_Analyst report section of a threat analytics report_ +[Learn more about the analyst report](threat-analytics-analyst-reports.md) -### Review list of mitigations and the status of your devices -In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place. +### Mitigations: Review list of mitigations and the status of your devices +In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes: +- **Security updates**—deployment of security updates or patches for vulnerabilities +- **Microsoft Defender Antivirus settings** + - Security intelligence version + - Cloud-delivered protection + - Potentially unwanted application (PUA) protection + - Real-time protection + Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report. ![Image of the mitigations section of a threat analytics report](images/ta-mitigations.png) _Mitigations section of a threat analytics report_ - ## Additional report details and limitations When using the reports, keep the following in mind: @@ -107,4 +116,5 @@ When using the reports, keep the following in mind: ## Related topics - [Proactively find threats with advanced hunting](advanced-hunting-overview.md) -- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md) +- [Understand the analyst report section](threat-analytics-analyst-reports.md) +- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md index 0e1e460db8..1e91ad143b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -1,10 +1,10 @@ --- title: Event timeline in threat and vulnerability management -description: Event timeline is a "risk news feed" that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it. +description: Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it. keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Event timeline - threat and vulnerability management @@ -24,14 +25,18 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more. Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) + ## Navigate to the Event timeline page There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md): diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index a7fc785038..b779e7d95a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -4,7 +4,7 @@ description: Create custom threat alerts for your organization and learn the con keywords: threat intelligence, alert definitions, indicators of compromise, ioc search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,25 +13,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Understand threat intelligence concepts [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious. -With Microsoft Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. +With Microsoft Defender for Endpoint, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them. @@ -42,9 +43,9 @@ Alert definitions are contextual attributes that can be used collectively to ide IOCs are individually-known malicious events that indicate that a network or device has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. ## Relationship between alert definitions and IOCs -In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. +In the context of Microsoft Defender for Endpoint, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. -Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console. +Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender for Endpoint console. Here is an example of an IOC: - Type: Sha1 @@ -58,11 +59,11 @@ IOCs have a many-to-one relationship with alert definitions such that an alert d Topic | Description :---|:--- [Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections. -[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections. -[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections. -[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. -[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API. +[Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. +[Configure Splunk to pull Microsoft Defender for Endpoint detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender for Endpoint detections. +[Configure HP ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender for Endpoint detections. +[Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. +[Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender for Endpoint using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index 937906e7a6..291206bd32 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -1,69 +1,73 @@ --- -title: Integrate Microsoft Defender ATP with other Microsoft solutions -ms.reviewer: -description: Learn how Microsoft Defender ATP integrates with other Microsoft solutions, including Azure Advanced Threat Protection and Azure Security Center. -keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security +title: Integrate Microsoft Defender for Endpoint with other Microsoft solutions +description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Azure Security Center. +author: mjcaparas +ms.author: macapara +ms.prod: m365-security +keywords: microsoft 365 defender, conditional access, office, advanced threat protection, microsoft defender for identity, microsoft defender for office, azure security center, microsoft cloud app security, azure sentinel search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender ATP and other Microsoft solutions +# Microsoft Defender for Endpoint and other Microsoft solutions [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Integrate with other Microsoft solutions - Microsoft Defender ATP directly integrates with various Microsoft solutions. - -### Azure Advanced Threat Protection (Azure ATP) - Suspicious activities are processes running under a user context. The integration between Microsoft Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. +Microsoft Defender for Endpoint directly integrates with various Microsoft solutions. ### Azure Security Center -Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. +Microsoft Defender for Endpoint provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. + +### Azure Sentinel +The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft Defender for Endpoint into Azure Sentinel. This will enable you to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response. ### Azure Information Protection Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection. ### Conditional Access -Microsoft Defender ATP's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. - +Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. ### Microsoft Cloud App Security -Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices. +Microsoft Cloud App Security leverages Microsoft Defender for Endpoint endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices. -### Office 365 Advanced Threat Protection (Office 365 ATP) -[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. +### Microsoft Defender for Identity +Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. + +### Microsoft Defender for Office +[Defender for Office 365](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. >[!NOTE] -> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP. +> Defender for Office 365 data is displayed for events within the last 30 days. For alerts, Defender for Office 365 data is displayed based on first activity time. After that, the data is no longer available in Defender for Office 365. ### Skype for Business The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal. -## Microsoft Threat Protection - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. +## Microsoft 365 Defender +With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. - [Learn more about Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +[Learn more about Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) ## Related topics - [Configure integration and other advanced features](advanced-features.md) -- [Microsoft Threat Protection overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) -- [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) +- [Microsoft 365 Defender overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +- [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) - [Protect users, data, and devices with Conditional Access](conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index 6690a9a308..8fbeab0216 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -4,7 +4,7 @@ description: Track alert detections, categories, and severity using the threat p keywords: alert detection, source, alert by category, alert severity, alert classification, determination search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Threat protection report in Microsoft Defender ATP +# Threat protection report in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time. The dashboard is structured into two sections: @@ -61,7 +65,7 @@ While the alert trends shows trending alert information, the alert summary shows ## Alert attributes The report is made up of cards that display the following alert attributes: -- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender ATP to trigger alerts. +- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender for Endpoint to trigger alerts. - **Threat categories**: shows the types of threat or attack activity that triggered alerts, indicating possible focus areas for your security operations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index a527797436..2fb809a07f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -3,7 +3,7 @@ title: Indicator resource type description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,25 +12,34 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Indicator resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - See the corresponding [Indicators page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal. Method|Return Type |Description :---|:---|:--- [List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities. -[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity. +[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submit or update [Indicator](ti-indicator.md) entity. +[Import Indicators](import-ti-indicators.md) | [Indicator](ti-indicator.md) Collection | Submit or update [Indicators](ti-indicator.md) entities. [Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity. diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index 173c407eda..3a6fb8e000 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -4,7 +4,7 @@ description: Use the info contained here to configure the Microsoft Defender Sec keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,58 +13,60 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender Security Center time zone settings [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-settings-abovefoldlink) -Use the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png) to configure the time zone and view license information. +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-settings-abovefoldlink) + +Use the **Time zone** menu ![Time zone settings icon1](images/atp-time-zone.png) to configure the time zone and view license information. ## Time zone settings The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings. -Microsoft Defender ATP can display either Coordinated Universal Time (UTC) or local time. +Microsoft Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time. -Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu. +Your current time zone setting is shown in the Microsoft Defender for Endpoint menu. You can change the displayed time zone in the **Time zone** menu. -![Time zone settings icon](images/atp-time-zone-menu.png). +![Time zone settings icon2](images/atp-time-zone-menu.png). ### UTC time zone -Microsoft Defender ATP uses UTC time by default. +Microsoft Defender for Endpoint uses UTC time by default. -Setting the Microsoft Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events. +Setting the Microsoft Defender for Endpoint time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events. ### Local time zone -You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone. +You can choose to have Microsoft Defender for Endpoint use local time zone settings. All alerts and events will be displayed using your local time zone. -The local time zone is taken from your device’s regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings. +The local time zone is taken from your device’s regional settings. If you change your regional settings, the Microsoft Defender for Endpoint time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender for Endpoint will be aligned to local time for all Microsoft Defender for Endpoint users. Analysts located in different global locations will now see the Microsoft Defender for Endpoint alerts according to their regional settings. Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link. ### Set the time zone -The Microsoft Defender ATP time zone is set by default to UTC. -Setting the time zone also changes the times for all Microsoft Defender ATP views. +The Microsoft Defender for Endpoint time zone is set by default to UTC. +Setting the time zone also changes the times for all Microsoft Defender for Endpoint views. To set the time zone: -1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png). +1. Click the **Time zone** menu ![Time zone settings icon3](images/atp-time-zone.png). 2. Select the **Timezone UTC** indicator. 3. Select **Timezone UTC** or your local time zone, for example -7:00. ### Regional settings -To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. +To apply different date formats for Microsoft Defender for Endpoint, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. **Internet Explorer (IE) and Microsoft Edge** diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index 5869c9d23d..102416451a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -4,7 +4,7 @@ description: Resources and sample code to troubleshoot issues with attack surfac keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ ms.date: 03/27/2019 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Troubleshoot attack surface reduction rules @@ -23,14 +24,17 @@ ms.custom: asr **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: -- A rule blocks a file, process, or performs some other action that it should not (false positive) +- A rule blocks a file, process, or performs some other action that it shouldn't (false positive) -- A rule does not work as described, or does not block a file or process that it should (false negative) +- A rule doesn't work as described, or doesn't block a file or process that it should (false negative) There are four steps to troubleshooting these problems: @@ -52,7 +56,7 @@ Attack surface reduction rules will only work on devices with the following cond - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. @@ -60,7 +64,7 @@ If these prerequisites have all been met, proceed to the next step to test the r You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. -Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. +Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. @@ -68,19 +72,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct 3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. -If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled. Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: -1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). +1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). -2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). +2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive -If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. +If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md). @@ -94,12 +98,12 @@ Use the [Windows Defender Security Intelligence web-based submission form](https ## Collect diagnostic data for file submissions -When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: ```console - cd c:\program files\windows defender + cd "c:\program files\windows defender" ``` 2. Run this command to generate the diagnostic logs: @@ -108,7 +112,7 @@ When you report a problem with attack surface reduction rules, you are asked to mpcmdrun -getfiles ``` -3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. +3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md index 30017b4ca8..dd9da22a6d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md @@ -1,10 +1,10 @@ --- -title: Collect support logs in Microsoft Defender ATP using live response -description: Learn how to collect logs using live response to troubleshoot Microsoft Defender ATP issues +title: Collect support logs in Microsoft Defender for Endpoints using live response +description: Learn how to collect logs using live response to troubleshoot Microsoft Defender for Endpoints issues keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,24 +13,29 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- -# Collect support logs in Microsoft Defender ATP using live response +# Collect support logs in Microsoft Defender for Endpoint using live response **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -When contacting support, you may be asked to provide the output package of the Microsoft Defender ATP Client Analyzer tool. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + + +When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool. This topic provides instructions on how to run the tool via Live Response. 1. Download the appropriate script - * Microsoft Defender ATP client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDATPLiveAnalyzer). + * Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDELiveAnalyzer). - Result package approximate size: ~100Kb - * Microsoft Defender ATP client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDATPLiveAnalyzerAV). + * Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDELiveAnalyzerAV). - Result package approximate size: ~10Mb 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate. @@ -41,35 +46,35 @@ This topic provides instructions on how to run the tool via Live Response. 4. Select **Choose file**. - ![Image of choose file button](images/choose-file.png) + ![Image of choose file button1](images/choose-file.png) -5. Select the downloaded file named MDATPLiveAnalyzer.ps1 and then click on **Confirm** +5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on **Confirm** - ![Image of choose file button](images/analyzer-file.png) + ![Image of choose file button2](images/analyzer-file.png) 6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file: ```console - Run MDATPLiveAnalyzer.ps1 - GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto + Run MDELiveAnalyzer.ps1 + GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto ``` ![Image of commands](images/analyzer-commands.png) >[!NOTE] -> - The latest preview version of MDATPClientAnalyzer can be downloaded here: [https://aka.ms/Betamdatpanalyzer](https://aka.ms/Betamdatpanalyzer). +> - The latest preview version of MDEClientAnalyzer can be downloaded here: [https://aka.ms/Betamdeanalyzer](https://aka.ms/Betamdeanalyzer). > > - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net. > -> If you cannot allow the machine to reach the above URL, then upload MDATPClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script: +> If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script: > > ```console -> PutFile MDATPClientAnalyzerPreview.zip -overwrite -> Run MDATPLiveAnalyzer.ps1 -> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto +> PutFile MDEClientAnalyzerPreview.zip -overwrite +> Run MDELiveAnalyzer.ps1 +> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto > ``` > -> - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender ATP cloud services, or does not appear in MDATP portal as expected, see [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls). +> - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls). diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md index aff164b095..ebdc8c0a2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md @@ -3,7 +3,7 @@ title: Troubleshoot exploit protection mitigations keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.author: dansimp ms.date: 08/09/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot exploit protection mitigations @@ -22,8 +23,11 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md index 01ddeadebe..9655ed861e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md @@ -1,10 +1,10 @@ --- title: Troubleshoot Microsoft Defender ATP live response issues -description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP +description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP keywords: troubleshoot live response, live, response, locked, file search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot Microsoft Defender for Endpoint live response issues [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) This page provides detailed steps to troubleshoot live response issues. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md index e044d0457b..4a5c3f1d71 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md @@ -1,10 +1,10 @@ --- -title: Troubleshoot Microsoft Defender Advanced Threat Protection service issues +title: Troubleshoot Microsoft Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Microsoft Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,14 +13,21 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot service issues [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service. @@ -37,13 +44,13 @@ Make sure that `*.securitycenter.windows.com` is included the proxy allow list. > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints. -## Microsoft Defender ATP service shows event or error logs in the Event Viewer +## Microsoft Defender for Endpoint service shows event or error logs in the Event Viewer -See the topic [Review events and errors using Event Viewer](event-error-codes.md) for a list of event IDs that are reported by the Microsoft Defender ATP service. The topic also contains troubleshooting steps for event errors. +See the topic [Review events and errors using Event Viewer](event-error-codes.md) for a list of event IDs that are reported by the Microsoft Defender for Endpoint service. The topic also contains troubleshooting steps for event errors. -## Microsoft Defender ATP service fails to start after a reboot and shows error 577 +## Microsoft Defender for Endpoint service fails to start after a reboot and shows error 577 -If onboarding devices successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. +If onboarding devices successfully completes but Microsoft Defender for Endpoint does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). @@ -65,15 +72,15 @@ The following date and time formats are currently not supported: **Use of comma to indicate thousand**
        Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) -## Microsoft Defender ATP tenant was automatically created in Europe -When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +## Microsoft Defender for Endpoint tenant was automatically created in Europe +When you use Azure Security Center to monitor servers, a Microsoft Defender for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data is stored in Europe by default. ## Related topics -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) - [Review events and errors using Event Viewer](event-error-codes.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index bea92c57cf..429e13a849 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -3,7 +3,7 @@ title: Troubleshoot problems with Network protection description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 03/27/2019 +ms.date: 01/26/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot network protection @@ -22,15 +23,16 @@ manager: dansimp **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) -* IT administrators When you use [Network protection](network-protection.md) you may encounter issues, such as: -* Network protection blocks a website that is safe (false positive) -* Network protection fails to block a suspicious or known malicious website (false negative) +- Network protection blocks a website that is safe (false positive) +- Network protection fails to block a suspicious or known malicious website (false negative) There are four steps to troubleshooting these problems: @@ -44,11 +46,11 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). -> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. -> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. +> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode @@ -60,9 +62,9 @@ You can enable network protection in audit mode and then visit a website that we Set-MpPreference -EnableNetworkProtection AuditMode ``` -1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). +2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. If network protection is not blocking a connection that you are expecting it should block, enable the feature. @@ -74,6 +76,8 @@ You can enable network protection in audit mode and then visit a website that we If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives). + ## Exclude website from network protection scope To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check. @@ -84,20 +88,21 @@ When you report a problem with network protection, you are asked to collect and 1. Open an elevated command prompt and change to the Windows Defender directory: - ```PowerShell + ```console cd c:\program files\windows defender ``` -1. Run this command to generate the diagnostic logs: +2. Run this command to generate the diagnostic logs: - ```PowerShell + ```console mpcmdrun -getfiles ``` -1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -* [Network protection](network-protection.md) -* [Evaluate network protection](evaluate-network-protection.md) -* [Enable network protection](enable-network-protection.md) +- [Network protection](network-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) +- [Enable network protection](enable-network-protection.md) +- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 73945ccbcd..1983efe55b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -4,7 +4,7 @@ description: Troubleshoot onboarding issues and error message while completing s keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,30 +13,28 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot subscription and portal access issues [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) - - -This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender ATP service. +This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender for Endpoint service. If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. ## No subscriptions found -If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender ATP license. +If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender for Endpoint license. Potential reasons: - The Windows E5 and Office E5 licenses are separate licenses. @@ -44,14 +42,14 @@ Potential reasons: - It could be a license provisioning issue. - It could be you inadvertently provisioned the license to a different Microsoft Azure AD than the one used for authentication into the service. -For both cases, you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or +For both cases, you should contact Microsoft support at [General Microsoft Defender for Endpoint Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). ![Image of no subscriptions found](images/atp-no-subscriptions-found.png) ## Your subscription has expired -If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date. +If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender for Endpoint subscription, like any other online service subscription, has an expiration date. You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the device offboarding package, should you choose to not renew the license. @@ -62,7 +60,7 @@ You can choose to renew or extend the license at any point in time. When accessi ## You are not authorized to access the portal -If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. +If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender for Endpoint is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. For more information, see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). ![Image of not authorized to access portal](images/atp-not-authorized-to-access-portal.png) @@ -78,8 +76,8 @@ You'll need to allow the `securitycenter.windows.com` and all subdomains under i ## Portal communication issues If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are allowed and open for communication. -- `*.blob.core.windows.net -crl.microsoft.com` +- `*.blob.core.windows.net` +- `crl.microsoft.com` - `https://*.microsoftonline-p.com` - `https://*.securitycenter.windows.com` - `https://automatediracs-eus-prd.securitycenter.windows.com` diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 673f3f624c..4e1d6bcc04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -4,7 +4,7 @@ description: Troubleshoot issues that might arise during the onboarding of devic keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,20 +15,24 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- -# Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues +# Troubleshoot Microsoft Defender for Endpoint onboarding issues [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - Windows Server 2012 R2 - Windows Server 2016 +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + +You might need to troubleshoot the Microsoft Defender for Endpoint onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices. ## Troubleshoot issues with onboarding tools @@ -102,10 +106,10 @@ If none of the event logs and troubleshooting steps work, download the Local scr Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---:|:---|:---|:---|:--- 0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
        Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

        **Troubleshooting steps:**
        Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section.

        Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10). - | | | | Onboarding
        Offboarding
        SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

        **Troubleshooting steps:** Ensure that the following registry key exists: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

        If it doesn't exist, open an elevated command and add the key. + | | | | Onboarding
        Offboarding
        SampleSharing | **Possible cause:** Microsoft Defender for Endpoint Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

        **Troubleshooting steps:** Ensure that the following registry key exists: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

        If it doesn't exist, open an elevated command and add the key. | | | | SenseIsRunning
        OnboardingState
        OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

        **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device).

        Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10). - | | | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

        Currently supported platforms:
        Enterprise, Education, and Professional.
        Server is not supported. - 0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

        Currently supported platforms:
        Enterprise, Education, and Professional. + | | | | All | **Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.

        Currently supported platforms:
        Enterprise, Education, and Professional.
        Server is not supported. + 0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.

        Currently supported platforms:
        Enterprise, Education, and Professional. #### Known issues with non-compliance @@ -127,11 +131,11 @@ Channel name: Admin ID | Severity | Event description | Troubleshooting steps :---|:---|:---|:--- -1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). +1819 | Error | Microsoft Defender for Endpoint CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). ## Troubleshoot onboarding issues on the device -If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent. +If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender for Endpoint agent. - [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) @@ -146,7 +150,7 @@ If the deployment tools used does not indicate an error in the onboarding proces 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint. 3. Select **Operational** to load the log. @@ -160,17 +164,17 @@ If the deployment tools used does not indicate an error in the onboarding proces Event ID | Message | Resolution steps :---:|:---|:--- - `5` | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). - `6` | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md). - `7` | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again. - `9` | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

        If the event happened during offboarding, contact support. -`10` | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

        If the problem persists, contact support. -`15` | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). -`17` | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support. -`25` | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. -`27` | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. + `5` | Microsoft Defender for Endpoint service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). + `6` | Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md). + `7` | Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again. + `9` | Microsoft Defender for Endpoint service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

        If the event happened during offboarding, contact support. +`10` | Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

        If the problem persists, contact support. +`15` | Microsoft Defender for Endpoint cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). +`17` | Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support. +`25` | Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +`27` | Failed to enable Microsoft Defender for Endpoint mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. `29` | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again. -`30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support. +`30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender for Endpoint. Failure code: %1 | Contact support. `32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device. `55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device. `63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. @@ -180,7 +184,7 @@ Event ID | Message | Resolution steps
        -There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. +There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender for Endpoint agent event log, proceed with the following steps to ensure that the additional components are configured correctly. @@ -242,11 +246,11 @@ First, you should check that the service is set to start automatically when Wind ### Ensure the device has an Internet connection -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. +The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. -To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls) topic. +To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls) topic. If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic. @@ -257,11 +261,11 @@ If the verification fails and your environment is using a proxy to connect to th > > The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy. -**Problem**: The Microsoft Defender ATP service does not start after onboarding. +**Problem**: The Microsoft Defender for Endpoint service does not start after onboarding. **Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service. -**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not turned off by a system policy. +**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender for Endpoint agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not turned off by a system policy. - Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: @@ -297,9 +301,9 @@ If you encounter issues while onboarding a server, go through the following veri You might also need to check the following: -- Check that there is a Microsoft Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: +- Check that there is a Microsoft Defender for Endpoint Service running in the **Processes** tab in **Task Manager**. For example: - ![Image of process view with Microsoft Defender Advanced Threat Protection Service running](images/atp-task-manager.png) + ![Image of process view with Microsoft Defender for Endpoint Service running](images/atp-task-manager.png) - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. @@ -325,128 +329,129 @@ The steps below provide guidance for the following scenario: - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed > [!NOTE] -> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection). +> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender for Endpoint](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection). 1. Create an application in Microsoft Endpoint Configuration Manager. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-1.png) + ![Image of Microsoft Endpoint Configuration Manager configuration1](images/mecm-1.png) 2. Select **Manually specify the application information**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-2.png) + ![Image of Microsoft Endpoint Configuration Manager configuration2](images/mecm-2.png) 3. Specify information about the application, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-3.png) + ![Image of Microsoft Endpoint Configuration Manager configuration3](images/mecm-3.png) 4. Specify information about the software center, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-4.png) + ![Image of Microsoft Endpoint Configuration Manager configuration4](images/mecm-4.png) 5. In **Deployment types** select **Add**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-5.png) + ![Image of Microsoft Endpoint Configuration Manager configuration5](images/mecm-5.png) 6. Select **Manually specify the deployment type information**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-6.png) + ![Image of Microsoft Endpoint Configuration Manager configuration6](images/mecm-6.png) 7. Specify information about the deployment type, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-7.png) + ![Image of Microsoft Endpoint Configuration Manager configuration7](images/mecm-7.png) 8. In **Content** > **Installation program** specify the command: `net start sense`. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-8.png) + ![Image of Microsoft Endpoint Configuration Manager configuration8](images/mecm-8.png) 9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-9.png) + ![Image of Microsoft Endpoint Configuration Manager configuration9](images/mecm-9.png) 10. Specify the following detection rule details, then select **OK**: - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-10.png) + ![Image of Microsoft Endpoint Configuration Manager configuration10](images/mecm-10.png) 11. In **Detection method** select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-11.png) + ![Image of Microsoft Endpoint Configuration Manager configuration11](images/mecm-11.png) 12. In **User Experience**, specify the following information, then select **Next**: - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-12.png) + ![Image of Microsoft Endpoint Configuration Manager configuration12](images/mecm-12.png) 13. In **Requirements**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-13.png) + ![Image of Microsoft Endpoint Configuration Manager configuration13](images/mecm-13.png) 14. In **Dependencies**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-14.png) + ![Image of Microsoft Endpoint Configuration Manager configuration14](images/mecm-14.png) 15. In **Summary**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-15.png) + ![Image of Microsoft Endpoint Configuration Manager configuration15](images/mecm-15.png) 16. In **Completion**, select **Close**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-16.png) + ![Image of Microsoft Endpoint Configuration Manager configuration16](images/mecm-16.png) 17. In **Deployment types**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-17.png) + ![Image of Microsoft Endpoint Configuration Manager configuration17](images/mecm-17.png) 18. In **Summary**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-18.png) + ![Image of Microsoft Endpoint Configuration Manager configuration18](images/mecm-18.png) The status is then displayed: - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-19.png) + ![Image of Microsoft Endpoint Configuration Manager configuration19](images/mecm-19.png) 19. In **Completion**, select **Close**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-20.png) + ![Image of Microsoft Endpoint Configuration Manager configuration20](images/mecm-20.png) 20. You can now deploy the application by right-clicking the app and selecting **Deploy**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-21.png) + ![Image of Microsoft Endpoint Configuration Manager configuration21](images/mecm-21.png) 21. In **General** select **Automatically distribute content for dependencies** and **Browse**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-22.png) + ![Image of Microsoft Endpoint Configuration Manager configuration22](images/mecm-22.png) 22. In **Content** select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-23.png) + ![Image of Microsoft Endpoint Configuration Manager configuration23](images/mecm-23.png) 23. In **Deployment settings**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-24.png) + ![Image of Microsoft Endpoint Configuration Manager configuration24](images/mecm-24.png) 24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-25.png) + ![Image of Microsoft Endpoint Configuration Manager configuration25](images/mecm-25.png) 25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-26.png) + ![Image of Microsoft Endpoint Configuration Manager configuration26](images/mecm-26.png) 26. In **Alerts** select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-27.png) + ![Image of Microsoft Endpoint Configuration Manager configuration27](images/mecm-27.png) 27. In **Summary**, select **Next**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-28.png) + ![Image of Microsoft Endpoint Configuration Manager configuration28](images/mecm-28.png) The status is then displayed - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-29.png) + ![Image of Microsoft Endpoint Configuration Manager configuration29](images/mecm-29.png) 28. In **Completion**, select **Close**. - ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-30.png) + ![Image of Microsoft Endpoint Configuration Manager configuration30](images/mecm-30.png) + ## Related topics -- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) +- [Troubleshoot Microsoft Defender for Endpoint](troubleshoot-mdatp.md) - [Onboard devices](onboard-configure.md) - [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index 765a21fe20..c5b909cf91 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -4,7 +4,7 @@ description: Troubleshoot issues that might arise when using SIEM tools with Mic keywords: troubleshoot, siem, client secret, secret search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot SIEM tool integration issues @@ -23,10 +24,11 @@ ms.topic: troubleshooting **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) You might need to troubleshoot issues while pulling detections in your SIEM tools. @@ -75,11 +77,11 @@ If you encounter an error when trying to enable the SIEM connector application, ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender for Endpoint detections](configure-splunk.md) +- [Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md) +- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md index 8dfec3f344..28924cdac8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md @@ -4,7 +4,7 @@ description: Learn how to assign a low, normal, or high value to a device to hel keywords: microsoft defender atp device value, threat and vulnerability management device value, high value devices, device value exposure score search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Assign device value - threat and vulnerability management @@ -25,10 +26,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 004ad94602..1c89fb12df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,10 +1,10 @@ --- title: Dashboard insights - threat and vulnerability management description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. -keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Dashboard insights - threat and vulnerability management @@ -24,12 +25,14 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Threat and vulnerability management is a component of Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including: -Threat and vulnerability management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations @@ -51,7 +54,7 @@ Watch this video for a quick overview of what is in the threat and vulnerability ## Threat and vulnerability management dashboard - ![Microsoft Defender Advanced Threat Protection portal](images/tvm-dashboard-devices.png) + ![Microsoft Defender for Endpoint portal](images/tvm-dashboard-devices.png) Area | Description :---|:--- @@ -64,7 +67,8 @@ Area | Description **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions. **Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device. -For more information on the icons used throughout the portal, see [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons). +For more information on the icons used throughout the portal, see [Microsoft Defender for Endpoint icons](portal-overview.md#microsoft-defender-for-endpoint-icons). + ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md index 7d2f8da30c..f1f2519d03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md @@ -4,7 +4,7 @@ description: Discover and plan for software and software versions that are no lo keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Plan for end-of-support software and software versions with threat and vulnerability management @@ -24,10 +25,11 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) End-of-support (EOS), otherwise known as end-of-life (EOL), for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md index f8f6565174..17596316a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md @@ -1,10 +1,10 @@ --- title: Create and view exceptions for security recommendations - threat and vulnerability management -description: Create and monitor exceptions for security recommendations in threat and vulnerability management. +description: Create and monitor exceptions for security recommendations in threat and vulnerability management. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Create and view exceptions for security recommendations - threat and vulnerability management @@ -24,70 +25,114 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception. +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list. +As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present. + +When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group). + +## Permissions + +Only users with “exceptions handling” permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md). + +![View of exception handling permission.](images/tvm-exception-permissions.png) ## Create an exception -1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md). +Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form. -2. Select a security recommendation you would like to create an exception for, and then **Exception options**. -![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png) -3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. +### Exception by device group - The following list details the justifications behind the exception options: +Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups. - - **Third party control** - A third party product or software already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Alternate mitigation** - An internal tool already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive - - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization +![Showing device group dropdown.](images/tvm-exception-device-group-500.png) -4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. +#### Filtered views -## View your exceptions +If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options. -When you file for an exception from the security recommendations page, you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). +This is the button to filter by device group on any of the threat and vulnerability management pages: -The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. +![Showing selected device groups filter.](images/tvm-selected-device-groups.png) -![Example of the exception page and filter options.](images/tvm-exception-filters.png) +Exception view with filtered device groups: -### Exception actions and statuses +![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png) -Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**. +#### Large number of device groups -The following statuses will be a part of an exception: +If your organization has more than 20 device groups, select **Edit** next to the filtered device group option. -- **Canceled** - The exception has been canceled and is no longer in effect -- **Expired** - The exception that you've filed is no longer in effect -- **In effect** - The exception that you've filed is in progress +![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png) -### Exception impact on scores +A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all. -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: +![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png) -- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. -- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. +### Global exceptions -The exception impact shows on both the Security recommendations page column and in the flyout pane. +If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.” -![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) +![Showing global exception option.](images/tvm-exception-global.png) -### View exceptions in other places +Some things to keep in mind: -Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. +- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire. +- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires. -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) +### Justification + +Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. + +The following list details the justifications behind the exception options: + +- **Third party control** - A third party product or software already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced +- **Alternate mitigation** - An internal tool already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced +- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive +- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + +## View all exceptions + +Navigate to the **Exceptions** tab in the **Remediation** page. You can filter by justification, type, and status. + + Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception. + +![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-view.png) + +## How to cancel an exception + +To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception. + +To cancel the exception for all device groups or for a global exception, select the **Cancel exception for all device groups** button. You will only be able to cancel exceptions for device groups you have permissions for. + +![The cancel button.](images/tvm-exception-cancel.png) + +### Cancel the exception for a specific device group + +Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**. + +![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png) + +## View impact after exceptions are applied + +In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**. + +![Showing customize columns options.](images/tvm-after-exceptions.png) + +The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed. + +The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change. + +![Showing the columns in the table.](images/tvm-after-exceptions-table.png) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index d23e973e81..e4895d3691 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -4,7 +4,7 @@ description: The threat and vulnerability management exposure score reflects how keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Exposure score - threat and vulnerability management @@ -24,10 +25,11 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Your exposure score is visible in the [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation. @@ -49,46 +51,6 @@ The exposure score is broken down into the following levels: You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. -## How the score is calculated - -The exposure score is continuously calculated on each device in the organization. It is scored & evaluated based on the following categories: - -- **Threats** - external and internal threats such as public exploit code and security alerts -- **Likelihood** - likelihood of the device to get breached given its current security posture -- **Value** - value of the device to the organization given its role and content - -**Device exposure score** = (Threats + Likelihood) x Value - -**Organization exposure score** = Avg (All device exposure scores) taking into account organization value multipliers - -### Threats - -Points are added based on whether the device has any vulnerabilities or misconfigurations, determined by the Common Vulnerability Scoring System (CVSS) base score. - -Further points are added based on: - -- Exploits availability and whether the exploit is verified or ranked -- A threat campaign is linked to the vulnerability or misconfiguration - -### Likelihood - -Points are added based on whether any of the following factors are true: - -- The device is internet facing -- Specific compensating controls are misconfigured -- An exploit attempt is linked directly to a threat spotted in the organization - -### Value - -Points are added based on whether any of the following factors are true for a device: - -- Contains high business impact (HBI) data -- Marked as a High Value Asset (HVA) or serves as an important server role (e.g. AD, DNS) -- Runs a business critical app (BCA) -- Used by a marked high value user (HVU) (e.g. domain admin, CEO) - -If a device is valuable to your organization, it should increase the total organization exposure score. - ## Reduce your threat and vulnerability exposure Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md index d530052017..3ee21c13f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md @@ -1,10 +1,10 @@ --- -title: Hunt for exposed devices +title: Hunt for exposed devices description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate. -keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Hunt for exposed devices - threat and vulnerability management @@ -25,10 +26,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) ## Use advanced hunting to find devices with vulnerabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index ea67db383d..1118e64dd3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -4,7 +4,7 @@ description: Your score for devices shows the collective security configuration keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Secure Score for Devices @@ -24,8 +25,12 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + >[!NOTE] > Configuration score is now part of threat and vulnerability management as Microsoft Secure Score for Devices. @@ -42,7 +47,7 @@ Select a category to go to the [**Security recommendations**](tvm-security-recom ## Turn on the Microsoft Secure Score connector -Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data. +Forward Microsoft Defender for Endpoint signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data. Changes might take up to a few hours to reflect in the dashboard. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md index 9aba0d42d1..cc8de342e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md @@ -4,7 +4,7 @@ description: Before you begin using threat and vulnerability management, make su keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, MDATP TVM permissions prerequisites, vulnerability management search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Prerequisites & permissions - threat and vulnerability management @@ -23,14 +24,15 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Ensure that your devices: -- Are onboarded to Microsoft Defender Advanced Threat Protection +- Are onboarded to Microsoft Defender for Endpoint - Run [supported operating systems and platforms](tvm-supported-os.md) - Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: @@ -41,7 +43,8 @@ Ensure that your devices: > Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) > Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) -- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version. +- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) to help remediate threats found by threat and vulnerability management. If you're using Configuration Manager, update your console to the latest version. + - **Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set. - Have at least one security recommendation that can be viewed in the device page - Are tagged or marked as co-managed diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 83f4fa34f0..972694233d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,10 +1,10 @@ --- title: Remediate vulnerabilities with threat and vulnerability management -description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. +description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,29 +14,33 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Remediate vulnerabilities with threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) ## Request remediation -The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. +The threat and vulnerability management capability in Microsoft Defender for Endpoint bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. ### Enable Microsoft Intune connection To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. -See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. +**Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set. + +See [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. ### Remediation request steps @@ -44,13 +48,16 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT 2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. -3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. +3. Fill out the form, including what you are requesting remediation for, applicable device groups, priority, due date, and optional notes. + 1. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action. -4. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. +4. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. -5. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. +5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. -If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. +6. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. + +If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. >[!NOTE] >If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. @@ -63,12 +70,24 @@ Lower your organization's exposure from vulnerabilities and increase your securi When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. +If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor. + Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. ![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) >[!NOTE] > There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion. +### Completed by column + +Track who closed the remediation activity with the "Completed by" column on the Remediation page. + +- **Email address**: The email of the person who manually completed the task +- **System confirmation**: The task was automatically completed (all devices remediated) +- **N/A**: Information is not available because we don't know how this older task was completed + +![Created by and completed by columns with two rows. One row for completed by has example of an email, the other row says system confirmation.](images/tvm-completed-by.png) + ### Top remediation activities in the dashboard View **Top remediation activities** in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index b4ffcd5ce4..2c151888d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -4,7 +4,7 @@ description: Get actionable security recommendations prioritized by threat, like keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Security recommendations - threat and vulnerability management @@ -24,15 +25,19 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) + ## How it works Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. @@ -95,12 +100,12 @@ From the flyout, you can choose any of the following options: - **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. -- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. Track the remediation activity in the Remediation page. - [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] ->When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. +>When a software change is made on a device, it typically takes 2 hours for the data to be reflected in the security portal. Configuration changes can take 12 hours. However, it may sometimes take longer. ### Investigate changes in device exposure or impact @@ -108,7 +113,31 @@ If there is a large jump in the number of exposed devices, or a sharp increase i 1. Select the recommendation and **Open software page** 2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) -3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request. +3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request + +## Request remediation + +The threat and vulnerability management remediation capability bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** page to Intune. [Learn more about remediation options](tvm-remediation.md) + +### How to request remediation + +Select a security recommendation you would like to request remediation for, and then select **Remediation options**. Fill out the form and select **Submit request**. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. [Learn more about how to request remediation](tvm-remediation.md#request-remediation) + +## File for exception + +As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. [Learn more about exceptions](tvm-exception.md) + +Only users with “exceptions handling” permissions can add exception. [Learn more about RBAC roles](user-roles.md). + +When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group). + +### How to create an exception + +Select a security recommendation you would like create an exception for, and then select **Exception options**. + +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png) + +Fill out the form and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab. [Learn more about how to create an exception](tvm-exception.md#create-an-exception) ## Report inaccuracy diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index bff224c503..448a705241 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -4,7 +4,7 @@ description: The software inventory page for Microsoft Defender ATP's threat and keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,25 +14,27 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Software inventory - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) The software inventory in threat and vulnerability management is a list of known software in your organization with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). Software products without an official CPE don’t have vulnerabilities published. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. ## How it works -In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). +In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender for Endpoint detection and response capabilities](overview-endpoint-detection-response.md). Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. @@ -43,7 +45,7 @@ Access the Software inventory page by selecting **Software inventory** from the View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). >[!NOTE] ->If you search for software using the Microsoft Defender ATP global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write "windows_10" instead of "Windows 10". +>If you search for software using the Microsoft Defender for Endpoint global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write "windows_10" instead of "Windows 10". ## Software inventory overview @@ -57,7 +59,7 @@ Select the software that you want to investigate. A flyout panel will open with ### Software that isn't supported -Software that isn't currently supported by threat & vulnerability management is still present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. +Software that isn't currently supported by threat & vulnerability management may be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. ![Unsupported software filter.](images/tvm-unsupported-software-filter.png) @@ -66,6 +68,7 @@ The following indicates that a software is not supported: - Weaknesses field shows "Not available" - Exposed devices field shows a dash - Informational text added in side panel and in software page +- The software page won't have the security recommendations, discovered vulnerabilities, or event timeline sections Currently, products without a CPE are not shown in the software inventory page, only in the device level software inventory. @@ -95,9 +98,13 @@ You can view software pages a few different ways: A full page will appear with all the details of a specific software and the following information: -- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score -- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices -- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities. +- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score. +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices. +- Tabs showing information such as: + - Corresponding security recommendations for the weaknesses and vulnerabilities identified. + - Named CVEs of discovered vulnerabilities. + - Devices that have the software installed (along with device name, domain, OS, and more). + - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices). ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) @@ -115,4 +122,4 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Security recommendations](tvm-security-recommendation.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md) +- [View and organize the Microsoft Defender for Endpoint Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 6e3367187d..e56be4f333 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -4,7 +4,7 @@ description: Ensure that you meet the operating system or platform requisites fo keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, search.appverid: met150 search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Supported operating systems and platforms - threat and vulnerability management @@ -24,22 +25,23 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for. >[!NOTE] ->The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list. +>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) list. Operating system | Security assessment support :---|:--- Windows 7 | Operating System (OS) vulnerabilities -Windows 8.1 | Not supported -Windows 10 1607-1703 | Operating System (OS) vulnerabilities -Windows 10 1709+ |Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment +Windows 8.1 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment | +Windows 10, versions 1607-1703 | Operating System (OS) vulnerabilities +Windows 10, version 1709 or later |Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment Windows Server 2008 R2 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment Windows Server 2012 R2 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md index 21ba19666d..b30303b3e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md @@ -4,7 +4,7 @@ description: A report showing vulnerable device trends and current statistics. T keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,26 +14,23 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Vulnerable devices report - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> [!IMPORTANT] -> **Vulnerable devices report is currently in public preview**
        -> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. -> For more information, see [Microsoft Defender ATP preview features](preview.md). - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 7d007181d1..a43ed74fe2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -1,10 +1,10 @@ --- title: Vulnerabilities in my organization - threat and vulnerability management -description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. -keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm +description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. +keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,33 +14,31 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Vulnerabilities in my organization - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. +Threat and vulnerability management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities. The **Weaknesses** page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. >[!NOTE] >If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management. ->[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: ->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) ->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) ->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) ->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) ## Navigate to the Weaknesses page @@ -152,4 +150,4 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform - [Security recommendations](tvm-security-recommendation.md) - [Software inventory](tvm-software-inventory.md) - [Dashboard insights](tvm-dashboard-insights.md) -- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md) +- [View and organize the Microsoft Defender for Endpoint Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md index 62b6465eab..f152b702aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md @@ -4,7 +4,7 @@ description: Learn how to find and mitigate zero-day vulnerabilities in your env keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Mitigate zero-day vulnerabilities - threat and vulnerability management @@ -25,10 +26,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited. @@ -54,7 +56,7 @@ Look for the named zero-day vulnerability along with a description and details. - If this vulnerability has a CVE-ID assigned, you’ll see the zero-day label next to the CVE name. -- If this vulnerability has no CVE-ID assigned, you will find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel. +- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel. ![Zero day example for CVE-2020-17087 in weaknesses page.](images/tvm-zero-day-weakness-name.png) @@ -72,9 +74,9 @@ Look for a zero-day tag for each software that has been affected by the zero–d ### Security recommendations page -View clear suggestions regarding remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities. +View clear suggestions about remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities. -If there is software with a zero-day vulnerability and additional vulnerabilities to address, you will get one recommendation regarding all vulnerabilities. +If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities. ![Zero day example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-security-recommendation.png) @@ -84,9 +86,13 @@ Go to the security recommendation page and select a recommendation with a zero-d There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed. -Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.” +Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.” -![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-software-flyout-400.png) +![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-recommendation-flyout400.png) + +## Track zero-day remediation activities + +Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there's no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category. ## Patching zero-day vulnerabilities @@ -94,7 +100,7 @@ When a patch is released for the zero-day, the recommendation will be changed to ![Recommendation for "Update Microsoft Windows 10" with new patch label.](images/tvm-zero-day-patch.jpg) -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Dashboard](tvm-dashboard-insights.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 1833077b2c..4024923c26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -3,7 +3,7 @@ title: Release device from isolation API description: Use this API to create calls related to release a device from isolation. keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,19 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article - +ms.technology: mde --- # Release device from isolation API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -38,7 +43,7 @@ Undo isolation of a device. [!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -52,7 +57,7 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate +POST https://api.securitycenter.microsoft.com/api/machines/{id}/unisolate ``` ## Request headers @@ -80,11 +85,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate ``` -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate -Content-type: application/json + +```json { "Comment": "Unisolate machine since it was clean and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index f05f9a4644..8c400b2ef4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -3,7 +3,7 @@ title: Remove app restriction API description: Use this API to create calls related to removing a restriction from applications from executing. keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Remove app restriction API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -37,7 +44,7 @@ Enable execution of any application on the device. [!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -51,7 +58,7 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution +POST https://api.securitycenter.microsoft.com/api/machines/{id}/unrestrictCodeExecution ``` ## Request headers @@ -77,11 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution ``` -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution -Content-type: application/json + +```json { "Comment": "Unrestrict code execution since machine was cleaned and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 8d2e4f9a6a..fc757c6f0c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -3,7 +3,7 @@ title: Update alert entity API description: Learn how to update a Microsoft Defender ATP alert by using this API. You can update the status, determination, classification, and assignedTo properties. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Update alert [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -38,7 +44,7 @@ Updates properties of existing [Alert](alerts.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -76,8 +82,6 @@ classification | String | Specifies the specification of the alert. The property determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' comment | String | Comment to be added to the alert. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ## Response If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. @@ -88,10 +92,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in Here is an example of the request. +```http +PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442 ``` -PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442 -Content-Type: application/json +```json { "status": "Resolved", "assignedTo": "secop2@contoso.com", @@ -99,4 +104,4 @@ Content-Type: application/json "determination": "Malware", "comment": "Resolve my alert and assign to secop2" } -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index a2838a56d7..1211463ba1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -4,7 +4,7 @@ description: Learn about the features on Microsoft Defender Security Center, inc keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate devices, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Overview of Microsoft Defender Security Center @@ -23,12 +24,13 @@ ms.topic: conceptual **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. +Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoint capabilities. Use the **Security operations** dashboard to gain insight on the various alerts on devices and users in your network. @@ -36,11 +38,16 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. +## Microsoft Defender for Endpoint interactive guide +In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats. + +> [!VIDEO https://aka.ms/MSDE-IG] + ### In this section Topic | Description :---|:--- [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. -[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices. +[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender for Endpoint **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices. [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices. [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 4c08836f95..5533555522 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -4,7 +4,7 @@ description: Create roles and define the permissions assigned to the role as par keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,20 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create and manage roles for role-based access control [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -68,7 +69,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur - **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups > [!NOTE] - > This setting is only available in the Microsoft Defender ATP administrator (default) role. + > This setting is only available in the Microsoft Defender for Endpoint administrator (default) role. - **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md index 3a38c1edfc..d652b20f95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user.md @@ -3,7 +3,7 @@ title: User resource type description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts related to users. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,18 +12,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # User resource type [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Method|Return Type |Description :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index 9742f5aa9e..82af44a227 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -5,7 +5,7 @@ description: See the list of incidents and learn how to apply filters to limit t keywords: view, organize, incidents, aggregate, investigations, queue, ttp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,17 +14,20 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# View and organize the Microsoft Defender Advanced Threat Protection Incidents queue +# View and organize the Microsoft Defender for Endpoint Incidents queue [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md index d91dfe2c07..188fa50263 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md @@ -3,7 +3,7 @@ title: Vulnerability methods and properties description: Retrieves vulnerability information keywords: apis, graph api, supported apis, get, vulnerability search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Vulnerability resource type @@ -21,9 +22,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index 4dd4166246..1f4b3d7e89 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -1,10 +1,10 @@ --- title: Web content filtering description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories. -keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,36 +13,41 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Web content filtering [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + > [!IMPORTANT] > **Web content filtering is currently in public preview**
        > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. -> For more information, see [Microsoft Defender ATP preview features](preview.md). +> For more information, see [Microsoft Defender for Endpoint preview features](preview.md). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. +Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource. -Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section. +Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section. Summarizing the benefits: - Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away -- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) +- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender for Endpoint role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) - Access web reports in the same central location, with visibility over actual blocks and web usage ## User experience -The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. +The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. For a more user-friendly in-browser experience, consider using Microsoft Edge. @@ -54,11 +59,11 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled. ## Data handling -We will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. +We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. ## Turn on web content filtering @@ -78,7 +83,7 @@ To add a new policy: 2. Specify a name. 3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. -5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices. Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. @@ -96,6 +101,14 @@ It's possible to override the blocked category in web content filtering to allow 2. Enter the domain of the site 3. Set the policy action to **Allow**. +### Reporting inaccuracies + +If you encounter a domain that has been incorrectly categorized, you can report inaccuracies directly to us from the Web Content Filtering reports page. This feature is available only in the new Microsoft 365 security center (security.microsoft.com). + +To report an inaccuracy, navigate to **Reports > Web protection > Web Content Filtering Details > Domains**. On the domains tab of our Web Content Filtering reports, you will see an ellipsis beside each of the domains. Hover over this ellipsis and select **Report Inaccuracy**. + +A panel will open where you can select the priority and add additional details such as the suggested category for re-categorization. Once you complete the form, select **Submit**. Our team will review the request within one business day. For immediate unblocking, create a [custom allow indicator](indicator-ip-domain.md). + ## Web content filtering cards and details Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering. @@ -138,7 +151,7 @@ Use the time range filter at the top left of the page to select a time period. Y ### Limitations and known issues in this preview -- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox. +- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers. - Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index 071d86602f..2f3b363f08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -1,10 +1,10 @@ --- title: Monitoring web browsing security in Microsoft Defender ATP description: Use web protection in Microsoft Defender ATP to monitor web browsing security -keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,15 +13,20 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Monitor web browsing security [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index 717f128f7c..98c2c0942f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -1,10 +1,10 @@ --- title: Web protection -description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization +description: Learn about the web protection in Microsoft Defender ATP and how it can protect your organization keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,23 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Web protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**. +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) + +Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**. ![Image of all web protection cards](images/web-protection.png) @@ -43,7 +48,7 @@ The cards that comprise web content filtering are **Web activity by category**, Web content filtering includes: - Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away -- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) +- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender for Endpoint role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) - You can access web reports in the same central location, with visibility over actual blocks and web usage ## In this section diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md index 41fb1e22a8..ffe7d80226 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md @@ -4,7 +4,7 @@ description: Respond to alerts related to malicious and unwanted websites. Under keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,25 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Respond to web threats [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list. +Web protection in Microsoft Defender for Endpoint lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list. ## View web threat alerts -Microsoft Defender ATP generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity: +Microsoft Defender for Endpoint generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity: - **Suspicious connection blocked by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is *stopped* by network protection in *block* mode - **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode @@ -40,7 +44,7 @@ Each alert provides the following information: ![Image of an alert related to web threat protection](images/wtp-alert.png) >[!Note] ->To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md). +>To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md). ## Inspect website details You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including: @@ -59,7 +63,7 @@ You can also check the device that attempted to access a blocked URL. Selecting ## Web browser and Windows notifications for end users -With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows. +With web protection in Microsoft Defender for Endpoint, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows. ![Image of Microsoft Edge showing a 403 error and the Windows notification](images/wtp-browser-blocking-page.png) *Web threat blocked on Microsoft Edge* diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md index f6b119e508..d8df81f307 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md @@ -1,10 +1,10 @@ --- title: Protect your organization against web threats -description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization +description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization. keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,14 +13,18 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Protect your organization against web threats [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 7e173b6a93..dbac12f064 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -4,7 +4,7 @@ description: See what features are generally available (GA) in the latest releas keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.pagetype: security @@ -14,21 +14,23 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# What's new in Microsoft Defender ATP +# What's new in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) -The following features are generally available (GA) in the latest release of Microsoft Defender ATP as well as security features in Windows 10 and Windows Server. +The following features are generally available (GA) in the latest release of Microsoft Defender for Endpoint as well as security features in Windows 10 and Windows Server. For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). @@ -40,17 +42,30 @@ For more information preview features, see [Preview features](https://docs.micro > https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us > ``` + +## January 2021 + +- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
        Microsoft Defender for Endpoint now adds support for Windows Virtual Desktop. + +## December 2020 +- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md)
        Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS. + ## September 2020 -- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
        Microsoft Defender ATP now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender ATP for Android. +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
        Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Android. - [Threat and vulnerability management macOS support](tvm-supported-os.md)
        Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824). + +## August 2020 +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
        Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, and use Microsoft Defender for Endpoint for Android. + + ## July 2020 - [Create indicators for certificates](manage-indicators.md)
        Create indicators to allow or block certificates. ## June 2020 -- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
        Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
        Microsoft Defender for Endpoint now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Linux. -- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
        Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. +- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
        Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. ## April 2020 @@ -59,7 +74,7 @@ For more information preview features, see [Preview features](https://docs.micro ## November-December 2019 -- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
        Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md). +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
        Microsoft Defender for Endpoint for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md). - [Threat & Vulnerability Management application and application version end-of-life information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
        Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications. @@ -67,6 +82,8 @@ For more information preview features, see [Preview features](https://docs.micro - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
        Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. +- [Device health and compliance report](machine-reports.md)
        The device health and compliance report provides high-level information about the devices in your organization. + ## October 2019 - [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
        You can now allow or block URLs/domains using your own threat intelligence. @@ -74,18 +91,18 @@ For more information preview features, see [Preview features](https://docs.micro - [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
        You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation. -- [Connected Azure AD applications](connected-applications.md)
        The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. +- [Connected Azure AD applications](connected-applications.md)
        The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. -- [API Explorer](api-explorer.md)
        The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. +- [API Explorer](api-explorer.md)
        The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender for Endpoint API endpoint. ## September 2019 -- [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
        You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune). +- [Tamper protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#manage-tamper-protection-for-your-organization-using-intune)
        You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune). - [Live response](live-response.md)
        Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. -- [Evaluation lab](evaluation-lab.md)
        The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can +- [Evaluation lab](evaluation-lab.md)
        The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
        You can now onboard Windows Server 2008 R2 SP1. @@ -102,25 +119,25 @@ For more information preview features, see [Preview features](https://docs.micro - [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
        The threat protection report provides high-level information about alerts generated in your organization. -- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
        Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. +- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
        Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. - [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator)
        APIs for indicators are now generally available. -- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
        Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. +- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
        Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. ## April 2019 - [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification)
        Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. -- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro)
        Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. +- [Microsoft Defender for Endpoint API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro)
        Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities. ## February 2019 -- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
        Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. +- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
        Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
        Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
        Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor. ## October 2018 @@ -130,16 +147,16 @@ For more information preview features, see [Preview features](https://docs.micro - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
        With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
        Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
        Microsoft Defender for Endpoint integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
        Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
        Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
        Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. +- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
        Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. - [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
        iOS and Android devices are now supported and can be onboarded to the service. - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
        -Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - New in Windows 10 version 1809, there are two new attack surface reduction rules: - Block Adobe Reader from creating child processes @@ -154,7 +171,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe ## March 2018 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
        -Query data using advanced hunting in Microsoft Defender ATP. +Query data using advanced hunting in Microsoft Defender for Endpoint. - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
        New attack surface reduction rules: @@ -171,21 +188,21 @@ Query data using advanced hunting in Microsoft Defender ATP. - [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
        Enable conditional access to better protect users, devices, and data. -- [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
        - The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. +- [Microsoft Defender for Endpoint Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
        + The Microsoft Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
        You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. - [Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
        - Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. + Microsoft Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. - [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
        Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. - [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
        -Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 9b9d8baad8..ace344e032 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -2,7 +2,7 @@ title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 09/28/2020 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings **Applies to:** @@ -34,28 +35,27 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
        Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

        -

        		Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

        Windows 10, Version 1607 and earlier:
        Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

        		At least Windows Server 2012, Windows 8 or Windows RTWindows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

        Windows 10, Version 1607 and earlier:
        Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

        +At least Windows Server 2012, Windows 8 or Windows RT

        		 This policy setting turns on Microsoft Defender SmartScreen.

        If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

        If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

        If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
        Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control        		 Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control        		Windows 10, version 1703 This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

        This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.

        Important: Using a trustworthy browser helps ensure that these protections work as expected.
        Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

        Windows 10, Version 1607 and earlier:
        Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

        		Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

        Windows 10, Version 1607 and earlier:
        Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

        		 Microsoft Edge on Windows 10 or later This policy setting turns on Microsoft Defender SmartScreen.

        If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

        If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

        If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
        Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

        Windows 10, Version 1511 and 1607:
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

        		Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

        Windows 10, Version 1511 and 1607:
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

        		 Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

        If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

        If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.
        Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

        Windows 10, Version 1511 and 1607:
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

        		Windows 10, version 2004:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

        Windows 10, Version 1511 and 1607:
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

        		 Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

        If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

        If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.
        Recommendation
        Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenAdministrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

        		 Enable. Turns on Microsoft Defender SmartScreen.
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesAdministrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

        		 Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesAdministrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

        Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

        		Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.