deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FromPrivateRepo

Browse Source
This commit is contained in:
huaping yu 2019-07-09 20:50:11 -07:00
commit dadf807667
21 changed files with 143 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -6503,7 +6503,7 @@
{
"source_path": "store-for-business/app-inventory-management-windows-store-for-business.md",
"redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
"redirect_document_id": true
"redirect_document_id": false
},
{
"source_path": "windows/manage/application-development-for-windows-as-a-service.md",

1
devices/hololens/TOC.md
View File

@ -11,6 +11,7 @@
## [Manage updates to HoloLens](hololens-updates.md)
## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
## [Use the HoloLens Clicker](hololens-clicker.md)
## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md)
# Application Management

1
devices/hololens/hololens-clicker-restart-recover.md
View File

@ -3,6 +3,7 @@ title: Restart or recover the HoloLens clicker
description: Things to try if the HoloLens clicker is unresponsive or isnt working well.
ms.assetid: 13406eca-e2c6-4cfc-8ace-426ff8f837f4
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

1
devices/hololens/hololens-clicker.md
View File

@ -3,6 +3,7 @@ title: Use the HoloLens Clicker
description:
ms.assetid: 7d4a30fd-cf1d-4c9a-8eb1-1968ccecbe59
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

1
devices/hololens/hololens-cortana.md
View File

@ -3,6 +3,7 @@ title: Cortana on HoloLens
description: Cortana can help you do all kinds of things on your HoloLens
ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

1
devices/hololens/hololens-find-and-save-files.md
View File

@ -3,6 +3,7 @@ title: Find and save files on HoloLens
description: Use File Explorer on HoloLens to view and manage files on your device
ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

1
devices/hololens/hololens-get-apps.md
View File

@ -3,6 +3,7 @@ title: Get apps for HoloLens
description: The Microsoft Store is your source for apps and games that work with HoloLens.
ms.assetid: cbe9aa3a-884f-4a92-bf54-8d4917bc3435
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

1
devices/hololens/hololens-offline.md
View File

@ -3,6 +3,7 @@ title: Use HoloLens offline
description: To set up HoloLens, you'll need to connect to a Wi-Fi network
ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

55
devices/hololens/hololens-restart-recover.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Restart, reset, or recover HoloLens
description: Restart, reset, or recover HoloLens
ms.assetid: 9a546416-1648-403c-9e0c-742171b8812e
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens
ms.sitesec: library
author: v-miegge
ms.author: v-miegge
ms.topic: article
ms.localizationpriority: medium
---
# Restart, reset, or recover HoloLens
Here are some things to try if your HoloLens is unresponsive, isnt running well, or is experiencing software or update problems.
## Restart your HoloLens
If your HoloLens isnt running well or is unresponsive, try the following things.
First, try restarting the device: say, "Hey Cortana, restart the device."
If youre still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device.
If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device.
## Reset or recover your HoloLens
If restarting your HoloLens doesnt help, another option is to reset it. If resetting it doesnt fix the problem, the Windows Device Recovery Tool can help you recover your device.
>[!IMPORTANT]
>Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You wont be able to restore a backup once the reset is complete.
## Reset
Resetting your HoloLens keeps the version of the Windows Holographic software thats installed on it and returns everything else to factory settings.
To reset your HoloLens, go to **Settings** > **Update** > **Reset** and select **Reset device**. The battery will need to have at least a 40 percent charge remaining to reset.
## Recover using the Windows Device Recovery Tool
Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time, and the latest version of the Windows Holographic software approved for your HoloLens will be installed.
To use the tool, youll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you cant run this tool on a virtual machine.
To recover your HoloLens
1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer.
1. Connect the clicker to your computer using the Micro USB cable that came with your HoloLens.
1. Run the Windows Device Recovery Tool and follow the instructions.
If the clicker isnt automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.

1
devices/hololens/hololens-spaces-on-hololens.md
View File

@ -3,6 +3,7 @@ title: Spaces on HoloLens
description: HoloLens blends holograms with your world
ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

1
devices/hololens/hololens-use-apps.md
View File

@ -3,6 +3,7 @@ title: Use apps on HoloLens
description: Apps on HoloLens use either 2D view or holographic view.
ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens

24
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -26,20 +26,20 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy
Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device:
- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
For troubleshooting, key activities to perform are:
- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
- Azure AD join issues. Was the device able to join Azure Active Directory?
- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
- Azure AD join issues. Was the device able to join Azure Active Directory?
- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
## Troubleshooting Autopilot OOBE issues
@ -109,7 +109,7 @@ When a profile is downloaded depends on the version of Windows 10 that is runnin
| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. |
| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. |
If you need to reboot a computer during OOBE:
If you need to reboot a computer during OOBE:
- Press Shift-F10 to open a command prompt.
- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately.

3
windows/deployment/windows-autopilot/white-glove.md
View File

@ -38,6 +38,9 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m
- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
>[!IMPORTANT]
>Because the OEM or vendor performs the white glove process, this <u>doesnt require access to an end-user's on-prem domain infrastructure</u>. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
## Preparation
Devices slated for WG provisioning are registered for Autopilot via the normal registration process.

26
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: medium
author: medgarmedgar
ms.author: v-medgar
ms.date: 3/1/2019
ms.date: 7/9/2019
---
# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
@ -70,14 +70,15 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections. <br /> **Set to 0 (zero)**
| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)**
| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
| 15.1 Injest the ADMX | To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. | The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001").
| 15.2 Prevent Network Traffic before User SignIn | PreventNetworkTrafficPreUserSignIn | The OMA-URI value is: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn
| 16. Preinstalled apps | N/A | N/A
| 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)**
| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)**
| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)**
| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)**
| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune**
| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)**
| 17.5 Notifications | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)**
| | [Settings/AllowOnlineTips]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled**
| 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)**
| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)**
@ -106,13 +107,30 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)**
| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)**
| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
| 23.3 Windows Defender Potentially Unwanted Applications(PUA) Protection | [Defender/PUAProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-puaprotection) | Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
| 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)**
| 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
| 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
| 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)**
| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)**
| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)**
| 27.1 Windows Update Allow Update Service | [Update/AllowUpdateService](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) | Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
| 27.2 Windows Update Service URL| [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) | Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with this Value:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
### <a href="" id="bkmk-mdm-whitelist"></a> Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations

12
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -69,8 +69,7 @@ The following table lists management options for each setting, beginning with Wi
| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
| [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [14. Network Connection Status Indicator](#bkmk-ncsi)
) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
@ -548,14 +547,7 @@ To turn off the Windows Mail app:
### <a href="" id="bkmk-microsoft-account"></a>12. Microsoft Account
To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
- **Enable** the Group Policy: **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt; **Security Options** &gt; **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
-or-
- Create a REG_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a **value of 3**.
Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
To disable the Microsoft Account Sign-In Assistant:

40
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -18,7 +18,7 @@ ms.topic: conceptual
ms.date: 04/24/2018
---
# Advanced hunting query best practices Microsoft Defender ATP
# Advanced hunting query best practices in Microsoft Defender ATP
**Applies to:**
@ -28,23 +28,26 @@ ms.date: 04/24/2018
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Use 'has' keyword over 'contains' when looking for full tokens.
- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
- Use time filters first. Ideally, limit your queries to 7 days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
- Use the `has` operator over `contains` when looking for full tokens.
- Use looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
- When joining between two tables, specify the table with fewer rows first.
- When joining between two tables, project only needed columns from both sides of the join.
>[!Tip]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
## Query tips and pitfalls
### Unique Process IDs
Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
### Using process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares.
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
Example query:
```
@ -54,13 +57,13 @@ NetworkCommunicationEvents
| where RemoteIPCount > 10
```
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Using command line queries
### Using command lines
Command lines may vary - when applicable, filter on file names and do fuzzy matching.
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task.
There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
@ -68,7 +71,7 @@ To create more durable queries using command lines, we recommended the following
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
@ -90,7 +93,4 @@ ProcessCreationEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -28,6 +28,9 @@ ms.topic: procedural
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
>[!NOTE]
>Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
## Discover and track unprotected machines
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines.

3
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -30,6 +30,9 @@ Security baselines ensure that security features are configured according to gui
To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
>[!NOTE]
>Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
## Compare the Microsoft Defender ATP and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:

13
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -49,14 +49,17 @@ Machine configuration management works closely with Intune device management to
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign).
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
>[!NOTE]
>During preview, you might encounter a few known limitations:
>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
>- The Microsoft Defender ATP security baseline currently doesnt cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
## Known issues and limitations in this preview
During preview, you might encounter a few known limitations:
- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
- The Microsoft Defender ATP security baseline currently doesnt cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
## In this section

1
windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
View File

@ -83,7 +83,6 @@ than the process in level 1.
|---------|----------------|--------------|-------------|
| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. |
| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. |
### Services

5
windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
View File

@ -53,6 +53,11 @@ a level of security commensurate with the risks facing targeted organizations. M
| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. |
| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. |
### User Policies
| Feature | Policy Setting | Policy Value | Description |
|----------|-----------------|---------------|--------------|
| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. |
## Controls
The controls enforced in level 3 implement complex security configuration and controls.