diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 9904301173..362aae37c3 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -289,9 +289,9 @@ The following table show the mapping of information to the AppLocker publisher r Here is an example AppLocker publisher rule: ``` syntax -FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"> + - + ``` You can get the publisher name and product name of apps using a web API. @@ -299,7 +299,7 @@ You can get the publisher name and product name of apps using a web API. **To find publisher and product name for Microsoft apps in Microsoft Store for Business** 1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. 3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. @@ -313,14 +313,11 @@ You can get the publisher name and product name of apps using a web API. - +

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
- - -~~~ Here is the example for Microsoft OneNote: Request @@ -339,7 +336,6 @@ Result "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" } ``` -~~~ diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 047006fce2..4f28ec54ab 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- title: Alter Windows 10 Start and taskbar via mobile device management -description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 ms.reviewer: manager: dansimp @@ -51,6 +51,9 @@ Two features enable Start layout control: - In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. + >[!NOTE] + >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly. + ## Create a policy for your customized Start layout diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 49b83d23f1..ae68206cec 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -42,29 +42,30 @@ The following resources provide additional information about using Windows Updat ``` console cmd ``` -2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. +2. Stop the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console net stop bits net stop wuauserv + net stop cryptsvc ``` -3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: +3. Delete the **qmgr\*.dat** files. To do this, type the following command at a command prompt, and then press ENTER: ``` console Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" ``` 4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. 1. Rename the following folders to *.BAK: ``` console - %systemroot%\SoftwareDistribution\DataStore - %systemroot%\SoftwareDistribution\Download - %systemroot%\system32\catroot2 + %Systemroot%\SoftwareDistribution\DataStore + %Systemroot%\SoftwareDistribution\Download + %Systemroot%\System32\catroot2 ``` To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console - Ren %systemroot%\SoftwareDistribution\DataStore *.bak - Ren %systemroot%\SoftwareDistribution\Download *.bak - Ren %systemroot%\system32\catroot2 *.bak + Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bak + Ren %Systemroot%\SoftwareDistribution\Download Download.bak + Ren %Systemroot%\System32\catroot2 catroot2.bak ``` - 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) @@ -73,7 +74,7 @@ The following resources provide additional information about using Windows Updat ``` console cd /d %windir%\system32 ``` -6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. +6. Reregister the **BITS** files and the **Windows Update** files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console regsvr32.exe atl.dll @@ -114,7 +115,7 @@ The following resources provide additional information about using Windows Updat regsvr32.exe wuwebv.dll ``` -7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: +7. Reset **Winsock**. To do this, type the following command at a command prompt, and then press ENTER: ``` console netsh winsock reset ``` @@ -122,13 +123,13 @@ The following resources provide additional information about using Windows Updat ``` console proxycfg.exe -d ``` -9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. +9. Restart the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console net start bits - - net start wuauserv + net start wuauserv + net start cryptsvc ``` -10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: +10. If you are running Windows Vista or Windows Server 2008, clear the **BITS** queue. To do this, type the following command at a command prompt, and then press ENTER: ``` console bitsadmin.exe /reset /allusers ``` diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index d449b47b4c..0d7d37c2fe 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints: |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 90a4a08397..b69fe341ce 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -42,9 +42,9 @@ As the depth and breadth of protections provided by Windows Defender Credential ### Saved Windows Credentials Protected Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: - - Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." - - Applications that extract Windows credentials fail. - - When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials. +* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." +* Applications that extract Windows credentials fail. +* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials. ## Clearing TPM Considerations Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost. diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 34008453ad..714d9c0db7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -82,6 +82,9 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. +> [!NOTE] +> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied. + ## Used Disk Space Only encryption BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 683610ed5c..3c97136983 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -56,12 +56,12 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: `ForceDefenderPassiveMode` +- Name: `ForcePassiveMode` - Type: `REG_DWORD` - Value: `1` > [!NOTE] -> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016. +> The `ForcePassiveMode` registry key is not supported on Windows Server 2016. (2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 0f1c9bbc2f..4eb54041c7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -177,7 +177,7 @@ If you are using a non-Microsoft antivirus product as your primary antivirus sol If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: `ForceDefenderPassiveMode` +- Name: `ForcePassiveMode` - Type: `REG_DWORD` - Value: `1` diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 418d398d86..0239279f5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -1,7 +1,7 @@ --- -title: Configure advanced features in Microsoft Defender ATP -description: Turn on advanced features such as block file in Microsoft Defender Advanced Threat Protection. -keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune +title: Configure advanced features in Microsoft Defender for Endpoint +description: Turn on advanced features such as block file in Microsoft Defender for Endpoint. +keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, microsoft defender for identity, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security @@ -27,7 +27,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. @@ -61,15 +61,15 @@ Enabling this feature allows you to run unsigned scripts in a live response sess ## Autoresolve remediated alerts -For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. +For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. ->[!TIP] ->For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. +> [!TIP] +> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. ->[!NOTE] +> [!NOTE] > ->- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device. ->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. +> - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device. +> - If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. ## Allow or block file @@ -100,8 +100,8 @@ To use this feature, devices must be running Windows 10 version 1709 or later. T For more information, see [Manage indicators](manage-indicators.md). ->[!NOTE] ->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. +> [!NOTE] +> Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. ## Show user details @@ -117,15 +117,15 @@ For more information, see [Investigate a user account](investigate-user.md). Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. ->[!NOTE] +> [!NOTE] > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode. ## Azure Advanced Threat Protection integration The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view. ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. +> [!NOTE] +> You'll need to have the appropriate license to enable this feature. ## Office 365 Threat Intelligence connection @@ -133,24 +133,24 @@ This feature is only available if you have an active Office 365 E5 or the Threat When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. +> [!NOTE] +> You'll need to have the appropriate license to enable this feature. -To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti). ## Microsoft Threat Experts Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it. ->[!NOTE] ->The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). +> [!NOTE] +> The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). ## Microsoft Cloud App Security Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. ->[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +> [!NOTE] +> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), or later Windows 10 versions. ## Azure Information Protection @@ -158,13 +158,13 @@ Turning on this setting allows signals to be forwarded to Azure Information Prot ## Microsoft Secure Score -Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. +Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the device's security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data. -### Enable the Microsoft Defender ATP integration from the Azure ATP portal +### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal -To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. +To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal. -1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. +1. Log in to the [Microsoft Defender for Identity portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. 2. Click **Create your instance**. @@ -176,8 +176,8 @@ After completing the integration steps on both portals, you'll be able to see re Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. ->[!IMPORTANT] ->You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). +> [!IMPORTANT] +> You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). This feature is only available if you have the following: @@ -188,7 +188,7 @@ This feature is only available if you have the following: When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted. ->[!NOTE] +> [!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. ## Preview features @@ -207,4 +207,3 @@ After configuring the [Security policy violation indicators](https://docs.micros - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index c7281f84af..f227cf31b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -33,7 +33,7 @@ ms.technology: mde Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). > [!NOTE] -> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). +> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index b4ddf74520..65af61d64f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -93,6 +93,10 @@ When saved, a new custom detection rule immediately runs and checks for matches - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours - **Every hour**—runs hourly, checking data from the past 2 hours +> [!IMPORTANT] +>When changing a query that is already scheduled as a Custom Detection, it's next immediate execution will have a lookback window of 30 days, exactly as if a new query was being created. +>Changes to a large number of queries, and with time filters higher than the default lookback durantion for the selected frequency, might have an impact in the overall quota consumption of Advanced Hunting and resulting in exhausting the daily quota. + > [!TIP] > Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 1517a11f36..7997959422 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -157,6 +157,9 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications] Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). +> [!Note] +> This does no apply to scripting engines, including Powershell + ## Customize the notification For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications). diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 87dd461c37..5aabbdddd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -20,7 +20,7 @@ ms.collection: - m365initiative-defender-endpoint - m365solution-scenario - m365scenario-fpfn -ms.topic: conceptual +ms.topic: how-to ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola ms.custom: FPFN --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index 3118860e56..dc6a1df497 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -114,9 +114,9 @@ For more information on Azure AD tokens, see the [Azure AD tutorial](https://doc ### Use PowerShell -``` -# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory -# Paste below your Tenant ID, App ID and App Secret (App key). +```powershell +# This script acquires the App Context Token and stores it in the variable $token for later use in the script. +# Paste your Tenant ID, App ID, and App Secret (App key) into the indicated quotes below. $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here @@ -132,8 +132,6 @@ $authBody = [Ordered] @{ } $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop $token = $authResponse.access_token -Out-File -FilePath "./Latest-token.txt" -InputObject $token -return $token ``` ### Use C#: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 7dd1dd5614..92e59213ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -20,7 +20,7 @@ ms.collection: - m365solution-scenario ms.topic: article ms.custom: migrationguides -ms.date: 02/11/2021 +ms.date: 02/18/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- @@ -115,7 +115,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index 629394aa04..8fdd6ac986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -19,7 +19,7 @@ ms.collection: - m365solution-migratetomdatp ms.topic: article ms.custom: migrationguides -ms.date: 02/11/2021 +ms.date: 02/18/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- @@ -100,7 +100,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index cb27f632be..c9823a17ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -18,7 +18,7 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article -ms.date: 02/11/2021 +ms.date: 02/18/2021 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- @@ -89,7 +89,7 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 3bcba3890f..6b859eac3c 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -22,6 +22,14 @@ Microsoft is committed to optimizing the security of its products and services. The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions. +### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V +Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. + +- [Security Target](https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf) +- [Administrative Guide](https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf) +- [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf) +- [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf) + ### Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.