deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #126 from Microsoft/iawilt-windef

Browse Source 
cherry pick for some commits only - do not merge
This commit is contained in:
Iaan D'Souza-Wiltshire 2016-08-15 18:10:11 -07:00 committed by GitHub
commit da059d12a6
2 changed files with 86 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
windows/keep-secure/windows-defender-block-at-first-sight.md
View File

@ -12,41 +12,40 @@ localizationpriority: medium
author: iaanw author: iaanw
--- ---
# Enable the Block at First Sight feature in Windows 10 # Block at First Sight
**Applies to** **Applies to**
- Windows 10, version 1607 - Windows 10, version 1607
**Audience**
- Network administrators
Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds.
You can enable Block at First Sight with Group Policy or individually on endpoints. It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention.
## Backend processing and near-instant determinations ## How it works
When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud. If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.
If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run. In many cases this process can reduce the response time to new malware from hours to seconds.
The file-based determination typically takes 1 to 4 seconds.
> [!NOTE] > [!NOTE]
> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files. > Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
## Enable Block at First Sight ## Confirm Block at First Sight is enabled
### Use Group Policy to configure Block at First Sight Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks.
You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend. > [!IMPORTANT]
> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly.
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. ### Confirm Block at First Sight is enabled with Group Policy
Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
**Configure pre-requisite cloud protection Group Policy settings:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -56,28 +55,56 @@ Block at First Sight requires a number of Group Policy settings to be configured
5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies: 5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
1. Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**. 1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following: 1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
1. Send safe samples (1) 1. Send safe samples (1)
1. Send all samples (3) 1. Send all samples (3)
> [!NOTE] > [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
1. Click OK after both Group Policies have been set. 1. Click **OK**.
1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**: 1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
1. Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**. 1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
1. Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**. 1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
### Confirm Block at First Sight is enabled with Windows Settings
**Enable Block at First Sight with Group Policy** > [!NOTE]
> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
**Confirm Block at First Sight is enabled on individual clients**
1. Open Windows Defender settings:
a. Open the Windows Defender app and click **Settings**.
b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
2. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
## Disable Block at First Sight
> [!WARNING]
> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
> [!NOTE]
> You cannot disable Block at First Sight with System Center Configuration Manager
You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
**Disable Block at First Sight with Group Policy**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -87,28 +114,14 @@ Block at First Sight requires a number of Group Policy settings to be configured
5. Expand the tree through **Windows components > Windows Defender > MAPS**. 5. Expand the tree through **Windows components > Windows Defender > MAPS**.
1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Enabled**. 1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Disabled**.
> [!NOTE] > [!NOTE]
> The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set. > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
### Manually enable Block at First Sight on individual clients
To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
**Enable Block at First Sight on individual clients**
1. Open Windows Defender settings:
a. Open the Windows Defender app and click **Settings**.
b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
2. Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
> [!NOTE]
> These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy.
## Related topics ## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md) - [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

34
windows/keep-secure/windows-defender-enhanced-notifications.md
View File

@ -22,9 +22,9 @@ In Windows 10, application notifications about malware detection and remediation
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals. Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
You can enable and disable enhanced notifications with the registry or in Windows Settings. You can enable and disable enhanced notifications with the registry or in Windows Settings.
## Configure enhanced notifications ## Disable notifications
You can disable enhanced notifications on individual endpoints in Windows Settings. You can disable enhanced notifications on individual endpoints in Windows Settings.
@ -39,6 +39,36 @@ You can disable enhanced notifications on individual endpoints in Windows Settin
![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png) ![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
**Use Group Policy to disable Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **Ok**. This will disable notifications that ask the endpoint user to reboot the machine to perform additional cleaning.
>[!NOTE]
>Usually, users are asked to reboot the endpoint to perform a scan with Windows Defender Offline. For details on performing offline scans, see the [Windows Defender Offline](windows-defender-offline.md#manage-notifications) topic.
**Use the registry to disable Windows Defender enhanced notifications:**
1. Click **Start**, type `Run`, and press **Enter**.
2. From the **Run** dialog box, type `regedit` and press **Enter**.
3. In the Registry Editor navigate to the following key:
```
HKLM\Software\Policies\Microsoft\Windows Defender
```
4. Right-click the Windows Defender key and add a new key. Name it `Features`.
5. Right-click the **Features** key you created and select **New** then **DWORD (32-bit) Value**. Name the value `DisableEnhancedNotifications`.
6. Double-click the **DisableEnhancedNotifications** value and set it to `1`.
## Related topics ## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md) - [Windows Defender in Windows 10](windows-defender-in-windows-10.md)