From bf217cf053779977d2a651069d1d49a5377f1650 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 18 Jan 2021 12:48:34 +0500 Subject: [PATCH 01/31] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 34008453ad..c4907449b5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -82,6 +82,9 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. +> [!NOTE] +> BitLocker Device Encryption feature uses XTS-AES 128-bit encryption method. In case you need to use different encryption method and/or cipher strength, device must be decrypted first. After that, different Bitlocker settings can be applied. + ## Used Disk Space Only encryption BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused. From f1034be901a73648fcc7141060df5f4a0f57d111 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:30:06 +0500 Subject: [PATCH 02/31] Update windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index c4907449b5..714d9c0db7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -83,7 +83,7 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. > [!NOTE] -> BitLocker Device Encryption feature uses XTS-AES 128-bit encryption method. In case you need to use different encryption method and/or cipher strength, device must be decrypted first. After that, different Bitlocker settings can be applied. +> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied. ## Used Disk Space Only encryption From d1b7eb7d5793da26f15208e3eb3e6d867c8cb64a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 23 Jan 2021 22:17:30 +0500 Subject: [PATCH 03/31] Added a Store Content Related URL As the user has mentioned that to access the content of the store required URL was missing. I have updated the URL. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8874 Reset of the URL's mentioned in the comment doesn't have any reference in MS docs and previous version document. So as of now, I have dropped them. Thanks. Imran. --- windows/privacy/manage-windows-20H2-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index d449b47b4c..ccf035d76b 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints: |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in Microsoft Store App.|HTTPS|livetileedge.dsx.mp.microsoft.com| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| From 69a35d2ba82ec7d50e2e89821730097705976165 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 24 Jan 2021 16:53:16 +0500 Subject: [PATCH 04/31] Update windows/privacy/manage-windows-20H2-endpoints.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/privacy/manage-windows-20H2-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index ccf035d76b..0d7d37c2fe 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -85,7 +85,7 @@ The following methodology was used to derive these network endpoints: |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| -||The following endpoint is needed to load the content in Microsoft Store App.|HTTPS|livetileedge.dsx.mp.microsoft.com| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| From fc8b4b5ace2289960f62f476cd0b2273442958ac Mon Sep 17 00:00:00 2001 From: Friedrich Weinmann Date: Mon, 1 Feb 2021 16:27:20 +0100 Subject: [PATCH 05/31] Removing bad security practice Secrets should not be stored in clear text files. Also added syntax highlighting for PowerShell --- .../exposed-apis-create-app-webapp.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index dbec1029c4..ba69e010b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -114,8 +114,8 @@ For more information on Azure AD tokens, see the [Azure AD tutorial](https://doc ### Use PowerShell -``` -# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory +```powershell +# That code gets the App Context Token and save it to the variable $token for later use in the script # Paste below your Tenant ID, App ID and App Secret (App key). $tenantId = '' ### Paste your tenant ID here @@ -132,8 +132,6 @@ $authBody = [Ordered] @{ } $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop $token = $authResponse.access_token -Out-File -FilePath "./Latest-token.txt" -InputObject $token -return $token ``` ### Use C#: From 7339433924a6d11ba35669fcb2168bfaa912582b Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 4 Feb 2021 15:14:39 -0800 Subject: [PATCH 06/31] Update windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/exposed-apis-create-app-webapp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index ba69e010b7..9b4c3f384c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -115,8 +115,8 @@ For more information on Azure AD tokens, see the [Azure AD tutorial](https://doc ### Use PowerShell ```powershell -# That code gets the App Context Token and save it to the variable $token for later use in the script -# Paste below your Tenant ID, App ID and App Secret (App key). +# This script acquires the App Context Token and stores it in the variable $token for later use in the script. +# Paste your Tenant ID, App ID and App Secret (App key) into the indicated quotes below. $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here From dccb819e1223e42900bcb1271e08a21cc91ec9fe Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 11 Feb 2021 10:19:04 +0500 Subject: [PATCH 07/31] markdown adjustments As suggested, make corrections in the markdown of the text. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9114 --- .../credential-guard/credential-guard-considerations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 90a4a08397..b69fe341ce 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -42,9 +42,9 @@ As the depth and breadth of protections provided by Windows Defender Credential ### Saved Windows Credentials Protected Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: - - Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." - - Applications that extract Windows credentials fail. - - When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials. +* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." +* Applications that extract Windows credentials fail. +* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials. ## Clearing TPM Considerations Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost. From 4a739cfac804974a63d5e2d90c18f35d4e0cf1c2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 14 Feb 2021 03:29:02 +0100 Subject: [PATCH 08/31] Azure ATP: Microsoft Defender for Identity From issue ticket #9142 (**old product name - Azure ATP**): > **Azure ATP is now called Defender for Identity, please update the text on this page.** Changes proposed: - Replace "Azure ATP" with 'Microsoft Defender for Identity' Codestyle & whitespace: - Add missing MarkDown indent marker compatibility spacing Closes #9142 --- .../advanced-features.md | 55 +++++++++---------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 0230069f42..ac0a1aff78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -1,7 +1,7 @@ --- -title: Configure advanced features in Microsoft Defender ATP -description: Turn on advanced features such as block file in Microsoft Defender Advanced Threat Protection. -keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune +title: Configure advanced features in Microsoft Defender for Endpoint +description: Turn on advanced features such as block file in Microsoft Defender for Endpoint. +keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, microsoft defender for identity, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security @@ -27,7 +27,7 @@ ms.technology: mde - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. @@ -63,13 +63,13 @@ Enabling this feature allows you to run unsigned scripts in a live response sess For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. ->[!TIP] ->For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. +> [!TIP] +> For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. ->[!NOTE] +> [!NOTE] > ->- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device. ->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. +> - The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device. +> - If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. ## Allow or block file @@ -100,8 +100,8 @@ To use this feature, devices must be running Windows 10 version 1709 or later. T For more information, see [Manage indicators](manage-indicators.md). ->[!NOTE] ->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. +> [!NOTE] +> Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. ## Show user details @@ -117,15 +117,15 @@ For more information, see [Investigate a user account](investigate-user.md). Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. ->[!NOTE] +> [!NOTE] > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode. ## Azure Advanced Threat Protection integration The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view. ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. +> [!NOTE] +> You'll need to have the appropriate license to enable this feature. ## Office 365 Threat Intelligence connection @@ -133,8 +133,8 @@ This feature is only available if you have an active Office 365 E5 or the Threat When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. +> [!NOTE] +> You'll need to have the appropriate license to enable this feature. To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). @@ -142,15 +142,15 @@ To receive contextual device integration in Office 365 Threat Intelligence, you' Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it. ->[!NOTE] ->The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). +> [!NOTE] +> The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). ## Microsoft Cloud App Security Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. ->[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +> [!NOTE] +> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. ## Azure Information Protection @@ -158,13 +158,13 @@ Turning on this setting allows signals to be forwarded to Azure Information Prot ## Microsoft Secure Score -Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. +Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. -### Enable the Microsoft Defender ATP integration from the Azure ATP portal +### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal -To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. +To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal. -1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. +1. Log in to the [Microsoft Defender for Identity portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. 2. Click **Create your instance**. @@ -176,8 +176,8 @@ After completing the integration steps on both portals, you'll be able to see re Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. ->[!IMPORTANT] ->You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). +> [!IMPORTANT] +> You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). This feature is only available if you have the following: @@ -188,7 +188,7 @@ This feature is only available if you have the following: When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted. ->[!NOTE] +> [!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. ## Preview features @@ -207,4 +207,3 @@ After configuring the [Security policy violation indicators](https://docs.micros - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) - From d2390f333a8dd51c2df1fcb803d17fc0d9650790 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 15 Feb 2021 21:39:22 +0100 Subject: [PATCH 09/31] Comma added after version number MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit "For tenants created on or after Windows 10, version 1809, […]" Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/advanced-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index ac0a1aff78..b849971fb1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -61,7 +61,7 @@ Enabling this feature allows you to run unsigned scripts in a live response sess ## Autoresolve remediated alerts -For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. +For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. > [!TIP] > For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. From c2bf9746e4a0b2bd7c80aa21d7d2aca835b4bd34 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 15 Feb 2021 21:40:42 +0100 Subject: [PATCH 10/31] Add missing particle "to" in the opening clause "> For tenants created prior to that version," Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/advanced-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index b849971fb1..9df4bdc1d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -64,7 +64,7 @@ Enabling this feature allows you to run unsigned scripts in a live response sess For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. > [!TIP] -> For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. +> For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. > [!NOTE] > From 8ce41e88db630de8a362821258185c9c5e69d6e9 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 15 Feb 2021 21:48:05 +0100 Subject: [PATCH 11/31] Add missing comma after the build version support page link MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit "[…] [KB4489899](https://support.microsoft.com/help/4489899)), or later Windows 10 versions." Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/advanced-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 9df4bdc1d8..0dbdc3b8db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -150,7 +150,7 @@ Out of the two Microsoft Threat Expert components, targeted attack notification Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. > [!NOTE] -> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +> This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), or later Windows 10 versions. ## Azure Information Protection From f1df1bb196d2492934d7891b92f6b3bbdc43d7d2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 15 Feb 2021 21:52:11 +0100 Subject: [PATCH 12/31] Minor grammar adjustments - Singular noun possessive: "devices" -> device's - Remove redundant particle "the" Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/advanced-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 0dbdc3b8db..f26b476606 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -158,7 +158,7 @@ Turning on this setting allows signals to be forwarded to Azure Information Prot ## Microsoft Secure Score -Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. +Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the device's security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data. ### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal From fc7f966b83baee50b1eeca70115c4eaac94b0b5a Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 16 Feb 2021 20:11:24 +0100 Subject: [PATCH 13/31] Update link to Office 365 Threat Intelligence overview Old link: https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512 Redirects to: https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti New title based on the redirect landing page: **Threat investigation and response** --- .../microsoft-defender-atp/advanced-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index f26b476606..1ddb88986f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -136,7 +136,7 @@ When you turn this feature on, you'll be able to incorporate data from Office 36 > [!NOTE] > You'll need to have the appropriate license to enable this feature. -To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti). ## Microsoft Threat Experts From 65f3339a27348fdb52e16e3dbe2b4f4b1ae1c2c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20M=C3=BCller?= Date: Wed, 17 Feb 2021 15:33:25 +0100 Subject: [PATCH 14/31] Fixed Syntax errors in applocker-csp.md --- windows/client-management/mdm/applocker-csp.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 9904301173..362aae37c3 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -289,9 +289,9 @@ The following table show the mapping of information to the AppLocker publisher r Here is an example AppLocker publisher rule: ``` syntax -FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"> + - + ``` You can get the publisher name and product name of apps using a web API. @@ -299,7 +299,7 @@ You can get the publisher name and product name of apps using a web API. **To find publisher and product name for Microsoft apps in Microsoft Store for Business** 1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. 3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. @@ -313,14 +313,11 @@ You can get the publisher name and product name of apps using a web API. - +

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
- - -~~~ Here is the example for Microsoft OneNote: Request @@ -339,7 +336,6 @@ Result "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" } ``` -~~~ From 3ea4da1c0d503588d353f31063bbb7397e63ceb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B3nio=20Vasconcelos?= Date: Wed, 17 Feb 2021 16:11:17 +0000 Subject: [PATCH 15/31] Lookback window for modified queries Note on lookback window when Custom Detections are changed and how that can impact the AH CPU quota from a customer tenant. --- .../microsoft-defender-atp/custom-detection-rules.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 8baab3e6c4..4680ae07fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -91,6 +91,10 @@ When saved, a new custom detection rule immediately runs and checks for matches - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours - **Every hour**—runs hourly, checking data from the past 2 hours +> [!IMPORTANT] +>When changing a query that is already scheduled as a Custom Detection, it's next immediate execution will have a lookback window of 30 days, exactly as if a new query was being created. +>Changes to a large number of queries, and with time filters higher than the default lookback durantion for the selected frequency, might have an impact in the overall quota consumption of Advanced Hunting and resulting in exhausting the daily quota. + > [!TIP] > Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored. From 7b6feb137650f7443d71ce73f4c8516562e54296 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 17 Feb 2021 20:23:45 +0100 Subject: [PATCH 16/31] Update controlled-folders.md CFA will allow Powershell.exe to write to protected folder when it is added to the allowed application list --- .../microsoft-defender-atp/controlled-folders.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index c7281f84af..f227cf31b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -33,7 +33,7 @@ ms.technology: mde Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). > [!NOTE] -> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). +> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). From f5b9321e3a1f67b0adab029138d2aebdcec07d2a Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 17 Feb 2021 20:28:28 +0100 Subject: [PATCH 17/31] Update customize-controlled-folders.md Allow signed executable files to access protected folders, does not apply to scripting engines like Powershell --- .../microsoft-defender-atp/customize-controlled-folders.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 1517a11f36..7997959422 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -157,6 +157,9 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications] Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). +> [!Note] +> This does no apply to scripting engines, including Powershell + ## Customize the notification For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications). From 60191119c35719e23144677ca019007194d77891 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 17 Feb 2021 22:00:00 +0100 Subject: [PATCH 18/31] Update microsoft-defender-antivirus-compatibility.md ForceDefenderPassiveMode does not exist... the correct setting is ForcePassiveMode --- .../microsoft-defender-antivirus-compatibility.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 20a13881ec..21f4fb839e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -56,12 +56,12 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: `ForceDefenderPassiveMode` +- Name: `ForcePassiveMode` - Type: `REG_DWORD` - Value: `1` > [!NOTE] -> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016. +> The `ForcePassiveMode` registry key is not supported on Windows Server 2016. (2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server. From e21d9474ed4e1c2a174b682fce4cd9eae21bdadf Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 17 Feb 2021 22:02:13 +0100 Subject: [PATCH 19/31] Update microsoft-defender-antivirus-on-windows-server-2016.md ForceDefenderPassiveMode does not exist, the correct setting is ForcePassiveMode see /amcore/Antimalware/Source/Published/inc/mpconfignames.h --- .../microsoft-defender-antivirus-on-windows-server-2016.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 0f1c9bbc2f..4eb54041c7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -177,7 +177,7 @@ If you are using a non-Microsoft antivirus product as your primary antivirus sol If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: `ForceDefenderPassiveMode` +- Name: `ForcePassiveMode` - Type: `REG_DWORD` - Value: `1` From 9dc4c6e3354d40926cd3a2097d2adeafbdd164a3 Mon Sep 17 00:00:00 2001 From: Rei Ikei <47890550+reiikei@users.noreply.github.com> Date: Thu, 18 Feb 2021 09:27:21 +0900 Subject: [PATCH 20/31] Update customize-windows-10-start-screens-by-using-mobile-device-management.md My customer requested to add this note, because if the Start layout XML file includes XML Prologs, it is not reflected to Windows 10 Version 2004. --- ...ndows-10-start-screens-by-using-mobile-device-management.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 047006fce2..436f7e65d8 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -51,6 +51,9 @@ Two features enable Start layout control: - In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. + >[!NOTE] + >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly. + ## Create a policy for your customized Start layout From 6ed629e24ff4f96affd8b27e356f32631c8c3241 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Feb 2021 08:23:43 +0530 Subject: [PATCH 21/31] added commands, made some words to bold as per the user report issue #9167 , so i added **net start cryptsvc** **net stop cryptsvc**. Also, i corrected some commands after verifying windows 10 on my laptop, and then i made few words to **bold**. This PR must be checked carefully by verifiers. --- .../update/windows-update-resources.md | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 49b83d23f1..ae68206cec 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -42,29 +42,30 @@ The following resources provide additional information about using Windows Updat ``` console cmd ``` -2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. +2. Stop the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console net stop bits net stop wuauserv + net stop cryptsvc ``` -3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: +3. Delete the **qmgr\*.dat** files. To do this, type the following command at a command prompt, and then press ENTER: ``` console Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" ``` 4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. 1. Rename the following folders to *.BAK: ``` console - %systemroot%\SoftwareDistribution\DataStore - %systemroot%\SoftwareDistribution\Download - %systemroot%\system32\catroot2 + %Systemroot%\SoftwareDistribution\DataStore + %Systemroot%\SoftwareDistribution\Download + %Systemroot%\System32\catroot2 ``` To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console - Ren %systemroot%\SoftwareDistribution\DataStore *.bak - Ren %systemroot%\SoftwareDistribution\Download *.bak - Ren %systemroot%\system32\catroot2 *.bak + Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bak + Ren %Systemroot%\SoftwareDistribution\Download Download.bak + Ren %Systemroot%\System32\catroot2 catroot2.bak ``` - 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) @@ -73,7 +74,7 @@ The following resources provide additional information about using Windows Updat ``` console cd /d %windir%\system32 ``` -6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. +6. Reregister the **BITS** files and the **Windows Update** files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console regsvr32.exe atl.dll @@ -114,7 +115,7 @@ The following resources provide additional information about using Windows Updat regsvr32.exe wuwebv.dll ``` -7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: +7. Reset **Winsock**. To do this, type the following command at a command prompt, and then press ENTER: ``` console netsh winsock reset ``` @@ -122,13 +123,13 @@ The following resources provide additional information about using Windows Updat ``` console proxycfg.exe -d ``` -9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. +9. Restart the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console net start bits - - net start wuauserv + net start wuauserv + net start cryptsvc ``` -10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: +10. If you are running Windows Vista or Windows Server 2008, clear the **BITS** queue. To do this, type the following command at a command prompt, and then press ENTER: ``` console bitsadmin.exe /reset /allusers ``` From 24d477291a28811e88ed0b0c4a9126cb55186131 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 17 Feb 2021 21:36:01 -0800 Subject: [PATCH 22/31] Update windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/exposed-apis-create-app-webapp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index 9b4c3f384c..17498cdd14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -116,7 +116,7 @@ For more information on Azure AD tokens, see the [Azure AD tutorial](https://doc ```powershell # This script acquires the App Context Token and stores it in the variable $token for later use in the script. -# Paste your Tenant ID, App ID and App Secret (App key) into the indicated quotes below. +# Paste your Tenant ID, App ID, and App Secret (App key) into the indicated quotes below. $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here From dd01503ad8de2ac06cc4eeede1d1fdd4ec99b357 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Thu, 18 Feb 2021 11:53:09 +0200 Subject: [PATCH 23/31] Update mcafee-to-microsoft-defender-setup.md Fixed typo --- .../mcafee-to-microsoft-defender-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 7dd1dd5614..8fa01a26dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -115,7 +115,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: From 0f0e1c6fb2d2711f06430968669ad78a45d069e8 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Thu, 18 Feb 2021 11:53:32 +0200 Subject: [PATCH 24/31] Update symantec-to-microsoft-defender-atp-setup.md fixed typo --- .../symantec-to-microsoft-defender-atp-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index 9224748cb5..d4b696ac3d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -80,7 +80,7 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. From 559d0601f21fc8f2579c247564b0cecd931ed6cf Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Thu, 18 Feb 2021 11:53:57 +0200 Subject: [PATCH 25/31] Update switch-to-microsoft-defender-setup.md fixed typo --- .../switch-to-microsoft-defender-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index 1c9d5914a9..01e4796db3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -93,7 +93,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. From bb9923288825b09ab679a6e08e50c7f8491e3ac7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 18 Feb 2021 08:46:27 -0800 Subject: [PATCH 26/31] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 87dd461c37..5aabbdddd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -20,7 +20,7 @@ ms.collection: - m365initiative-defender-endpoint - m365solution-scenario - m365scenario-fpfn -ms.topic: conceptual +ms.topic: how-to ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola ms.custom: FPFN --- From 8a923ca322b28aa8870e0ba7429f7b0ebba1f77d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 18 Feb 2021 09:04:37 -0800 Subject: [PATCH 27/31] Update switch-to-microsoft-defender-setup.md --- .../switch-to-microsoft-defender-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index 01e4796db3..ae1e5d1526 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -19,7 +19,7 @@ ms.collection: - m365solution-migratetomdatp ms.topic: article ms.custom: migrationguides -ms.date: 02/11/2021 +ms.date: 02/18/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- From 62420b574bf968f40f184442ac400e8da82649da Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 18 Feb 2021 09:06:06 -0800 Subject: [PATCH 28/31] Update symantec-to-microsoft-defender-atp-setup.md --- .../symantec-to-microsoft-defender-atp-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index d4b696ac3d..720a1e9e08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -18,7 +18,7 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article -ms.date: 02/11/2021 +ms.date: 02/18/2021 ms.custom: migrationguides ms.reviewer: depicker, yongrhee, chriggs --- From 47fabcc57d0fe2ccda696f7d5c3b6e0a5dd5cdc0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 18 Feb 2021 09:06:56 -0800 Subject: [PATCH 29/31] Update mcafee-to-microsoft-defender-setup.md --- .../mcafee-to-microsoft-defender-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 8fa01a26dd..92e59213ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -20,7 +20,7 @@ ms.collection: - m365solution-scenario ms.topic: article ms.custom: migrationguides -ms.date: 02/11/2021 +ms.date: 02/18/2021 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- From e94675e7dcad1ccc1e67e8f1a4f5be181a8e6047 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 18 Feb 2021 13:32:12 -0800 Subject: [PATCH 30/31] pencil edit --- ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 436f7e65d8..4f28ec54ab 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- title: Alter Windows 10 Start and taskbar via mobile device management -description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 ms.reviewer: manager: dansimp From be5d7fb6a91c97b1486f2958aa8484f679b10423 Mon Sep 17 00:00:00 2001 From: Robert Durff Date: Fri, 19 Feb 2021 12:46:54 -0800 Subject: [PATCH 31/31] Add latest completed CC evaluation to topic The security evaluation team just completed the latest Common Criteria evaluation against Windows Server + Windows 10. Adding the evaluation to the Common Criteria topic, including links to downloadable evaluation documentation (Security Target, Admin Guide, Validation Report, Assurance Activities Report). --- .../threat-protection/windows-platform-common-criteria.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 3bcba3890f..6b859eac3c 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -22,6 +22,14 @@ Microsoft is committed to optimizing the security of its products and services. The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions. +### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V +Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. + +- [Security Target](https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf) +- [Administrative Guide](https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf) +- [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf) +- [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf) + ### Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.