From ba254945bca9d89ba086bb0335af869db81c289c Mon Sep 17 00:00:00 2001 From: Iaan Date: Mon, 8 Aug 2016 13:00:31 -0700 Subject: [PATCH 1/7] BAFS - edit for review of GP and regkey; EN - edit for review of GP enable vs disable --- .../windows-defender-block-at-first-sight.md | 18 ++++++---- ...windows-defender-enhanced-notifications.md | 34 +++++++++++++++++-- 2 files changed, 43 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index de89c2fde6..179ad0de5a 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -20,9 +20,9 @@ author: iaanw Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. -You can enable Block at First Sight with Group Policy or individually on endpoints. +It is enabled by default when certain pre-requisite settings are also enabled. -## Backend processing and near-instant determinations +## How it works When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. @@ -79,6 +79,10 @@ Block at First Sight requires a number of Group Policy settings to be configured **Enable Block at First Sight with Group Policy** +The Block at First Sight feature is automatically enabled when the pre-requisite settings have been applied. + +You can manually disable the feature. You might want to do this so you can turn off the feature but still retain the pre-requisite settings. + 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -87,16 +91,16 @@ Block at First Sight requires a number of Group Policy settings to be configured 5. Expand the tree through **Windows components > Windows Defender > MAPS**. -1. Double-click the **Configure the ‘Block at First Sight’ feature** setting and set the option to **Enabled**. +1. Double-click the **Configure the ‘Block at First Sight’ feature** setting and set the option to **Disabled**. > [!NOTE] - > The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set. + > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies. ### Manually enable Block at First Sight on individual clients -To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. +Block at First Sight is automatically enabled on un-managed clients that are running Windows 10, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. You can manually disable the feature on individual endpoints. -**Enable Block at First Sight on individual clients** +**Disable Block at First Sight on individual clients** 1. Open Windows Defender settings: @@ -104,7 +108,7 @@ To configure un-managed clients that are running Windows 10, Block at First Sigh b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**. -2. Switch **Cloud-based Protection** and **Automatic sample submission** to **On**. +2. Switch **Cloud-based Protection** and **Automatic sample submission** to **Off**. > [!NOTE] > These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy. diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md index c3f51393f2..d6effcc2f2 100644 --- a/windows/keep-secure/windows-defender-enhanced-notifications.md +++ b/windows/keep-secure/windows-defender-enhanced-notifications.md @@ -22,9 +22,9 @@ In Windows 10, application notifications about malware detection and remediation Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals. -You can enable and disable enhanced notifications with the registry or in Windows Settings. +You can enable and disable enhanced notifications with the registry or in Windows Settings. -## Configure enhanced notifications +## Disable notifications You can disable enhanced notifications on individual endpoints in Windows Settings. @@ -39,6 +39,36 @@ You can disable enhanced notifications on individual endpoints in Windows Settin ![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png) + +**Use Group Policy to disable Windows Defender notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings: + + 1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client. + + 1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **Ok**. This will disable notifications that ask the endpoint user to reboot the machine to perform additional cleaning. +>[!NOTE] +>Usually, users are asked to reboot the endpoint to perform a scan with Windows Defender Offline. For details on performing offline scans, see the [Windows Defender Offline](windows-defender-offline.md#manage-notifications) topic. + +**Use the registry to disable Windows Defender enhanced notifications:** + +1. Click **Start**, type `Run`, and press **Enter**. +2. From the **Run** dialog box, type `regedit` and press **Enter**. +3. In the Registry Editor navigate to the following key: + ``` + HKLM\Software\Policies\Microsoft\Windows Defender + ``` +4. Right-click the Windows Defender key and add a new key. Name it `Features`. +5. Right-click the **Features** key you created and select **New** then **DWORD (32-bit) Value**. Name the value `DisableEnhancedNotifications`. +6. Double-click the **DisableEnhancedNotifications** value and set it to `1`. + + ## Related topics - [Windows Defender in Windows 10](windows-defender-in-windows-10.md) \ No newline at end of file From e84cd1c5f1b62d9e46227a3e91691d57360b67d1 Mon Sep 17 00:00:00 2001 From: iaanw Date: Wed, 10 Aug 2016 12:30:30 -0700 Subject: [PATCH 2/7] BAFS is enabled by default and can only be disabled manually --- .../windows-defender-block-at-first-sight.md | 85 +++++++++++-------- 1 file changed, 51 insertions(+), 34 deletions(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index 179ad0de5a..e6c2092f3f 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -18,9 +18,13 @@ author: iaanw - Windows 10, version 1607 +**Audience** + +- Network administrators + Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. -It is enabled by default when certain pre-requisite settings are also enabled. +It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. ## How it works @@ -36,17 +40,11 @@ The file-based determination typically takes 1 to 4 seconds. > Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files. -## Enable Block at First Sight +## Confirm Block at First Sight is enabled -### Use Group Policy to configure Block at First Sight +Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks. -You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend. - -This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. - -Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. - -**Configure pre-requisite cloud protection Group Policy settings:** +**Confirm pre-requisite cloud protection Group Policy settings:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -56,9 +54,9 @@ Block at First Sight requires a number of Group Policy settings to be configured 5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies: - 1. Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**. + 1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**. - 1. Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following: + 1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following: 1. Send safe samples (1) @@ -67,21 +65,54 @@ Block at First Sight requires a number of Group Policy settings to be configured > [!NOTE] > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. - 1. Click OK after both Group Policies have been set. + 1. Click **OK**. 1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**: - 1. Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**. + 1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**. - 1. Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**. + 1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**. + +If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. + +> [!IMPORTANT] +> There is no specific UI change or individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. +## Confirm Block at First Sight is enabled on individual clients -**Enable Block at First Sight with Group Policy** +You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. -The Block at First Sight feature is automatically enabled when the pre-requisite settings have been applied. +**Confirm Block at First Sight is enabled on individual clients** -You can manually disable the feature. You might want to do this so you can turn off the feature but still retain the pre-requisite settings. +> [!IMPORTANT] +> Changes to the pre-requisite settings will determine whether the feature is enabled or not. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + +> [!NOTE] +> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. + +1. Open Windows Defender settings: + + a. Open the Windows Defender app and click **Settings**. + + b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**. + +2. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +> [!IMPORTANT] +> These settings can be overridden by future deployments of a Group Policy Object. + +## Disable Block at First Sight + +> [!WARNING] +> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network. + +You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. + +> [!NOTE] +> You cannot disable Block at First Sight with System Center Configuration Manager + +**Disable Block at First Sight with Group Policy** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -96,23 +127,9 @@ You can manually disable the feature. You might want to do this so you can turn > [!NOTE] > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies. -### Manually enable Block at First Sight on individual clients - -Block at First Sight is automatically enabled on un-managed clients that are running Windows 10, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. You can manually disable the feature on individual endpoints. - -**Disable Block at First Sight on individual clients** - -1. Open Windows Defender settings: - - a. Open the Windows Defender app and click **Settings**. - - b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**. - -2. Switch **Cloud-based Protection** and **Automatic sample submission** to **Off**. - -> [!NOTE] -> These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy. ## Related topics - [Windows Defender in Windows 10](windows-defender-in-windows-10.md) + + From 80969f68957d2cc014f62e7636ff1ba2eee2fc68 Mon Sep 17 00:00:00 2001 From: iaanw Date: Wed, 10 Aug 2016 12:41:50 -0700 Subject: [PATCH 3/7] Lower protection warning --- windows/keep-secure/windows-defender-block-at-first-sight.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index e6c2092f3f..ce529ce56a 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -62,7 +62,7 @@ Block at First Sight requires a number of Group Policy settings to be configured 1. Send all samples (3) - > [!NOTE] + > [!WARNING] > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. 1. Click **OK**. From 55104d4d769b6e5e84764606da6627479f24e270 Mon Sep 17 00:00:00 2001 From: iaanw Date: Thu, 11 Aug 2016 13:42:45 -0700 Subject: [PATCH 4/7] title updates --- .../keep-secure/windows-defender-block-at-first-sight.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index ce529ce56a..35ad409bbd 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Enable the Block at First Sight feature in Windows 10 +# Block at First Sight **Applies to** @@ -40,7 +40,7 @@ The file-based determination typically takes 1 to 4 seconds. > Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files. -## Confirm Block at First Sight is enabled +## Confirm Block at First Sight is enabled at the Group Policy level Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks. @@ -79,7 +79,7 @@ If you had to change any of the settings, you should re-deploy the Group Policy > There is no specific UI change or individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. -## Confirm Block at First Sight is enabled on individual clients +## Confirm Block at First Sight is enabled at the endpoint level You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. From 3c6cf6fb5fef0442dd2a309df118ac8f30cd149a Mon Sep 17 00:00:00 2001 From: Iaan Date: Thu, 11 Aug 2016 13:49:10 -0700 Subject: [PATCH 5/7] updates for structure --- .../windows-defender-block-at-first-sight.md | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index 35ad409bbd..e4a487a15b 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -40,11 +40,14 @@ The file-based determination typically takes 1 to 4 seconds. > Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files. -## Confirm Block at First Sight is enabled at the Group Policy level +## Confirm Block at First Sight is enabled Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks. -**Confirm pre-requisite cloud protection Group Policy settings:** +> [!IMPORTANT] +> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. + +### Confirm Block at First Sight is enabled with Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -75,22 +78,16 @@ Block at First Sight requires a number of Group Policy settings to be configured If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. -> [!IMPORTANT] -> There is no specific UI change or individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. +### Confirm Block at First Sight is enabled with Windows Settings -## Confirm Block at First Sight is enabled at the endpoint level +> [!NOTE] +> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. **Confirm Block at First Sight is enabled on individual clients** -> [!IMPORTANT] -> Changes to the pre-requisite settings will determine whether the feature is enabled or not. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -> [!NOTE] -> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. - 1. Open Windows Defender settings: a. Open the Windows Defender app and click **Settings**. @@ -99,19 +96,16 @@ You can confirm that Block at First Sight is enabled in Windows Settings. The fe 2. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. -> [!IMPORTANT] -> These settings can be overridden by future deployments of a Group Policy Object. - ## Disable Block at First Sight > [!WARNING] > Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network. -You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. - > [!NOTE] > You cannot disable Block at First Sight with System Center Configuration Manager +You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. + **Disable Block at First Sight with Group Policy** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. From a0425c9942a2cf7bd75d875d0239a6bd5cfd37f1 Mon Sep 17 00:00:00 2001 From: iaanw Date: Fri, 12 Aug 2016 11:18:29 -0700 Subject: [PATCH 6/7] update how it works --- .../keep-secure/windows-defender-block-at-first-sight.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index e4a487a15b..dae2dae33f 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -30,11 +30,9 @@ It is enabled by default when certain pre-requisite settings are also enabled. I When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. -If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud. +If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. -If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run. - -The file-based determination typically takes 1 to 4 seconds. +In many cases this process can reduce the response time to new malware from hours to seconds. > [!NOTE] > Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files. From a6419a7b4ee9e59d38dc936d23033e234f9953a6 Mon Sep 17 00:00:00 2001 From: Iaan Date: Mon, 15 Aug 2016 17:58:03 -0700 Subject: [PATCH 7/7] Final update for v2 --- windows/keep-secure/windows-defender-block-at-first-sight.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index dae2dae33f..8abf7c0806 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -28,7 +28,7 @@ It is enabled by default when certain pre-requisite settings are also enabled. I ## How it works -When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. +When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.