The data type is integer. Supported operation is Get and Replace. +**Properties/SleepMode** +
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. + +
Valid values: + +- 0 - Connected Standby (default) +- 1 - Hibernate + +
The data type is integer. Supported operation is Get and Replace. + **Properties/AllowSessionResume**
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 5f3d865cbd..0325decbfc 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -52,7 +52,7 @@ Supported operations include Get, Add, and Delete. Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId -A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. +A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. Supported operations include Get, Add, Replace, and Delete. @@ -132,7 +132,7 @@ Returns the namespace type. This value can be one of the following: Value type is chr. Supported operation is Get. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers** -List of comma separated DNS Server IP addresses to use for the namespace. +List of comma-separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -202,7 +202,7 @@ Numeric value from 0-255 representing the IP protocol to allow. For example, TCP Value type is int. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges** -A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. +A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. > [!NOTE] > Ports are only valid when the protocol is set to TCP=6 or UDP=17. @@ -210,7 +210,7 @@ A list of comma separated values specifying local port ranges to allow. For exam Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges** -A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. +A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. > [!NOTE] > Ports are only valid when the protocol is set to TCP=6 or UDP=17. @@ -218,12 +218,12 @@ A list of comma separated values specifying remote port ranges to allow. For exa Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges** -A list of comma separated values specifying local IP address ranges to allow. +A list of comma-separated values specifying local IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges** -A list of comma separated values specifying remote IP address ranges to allow. +A list of comma-separated values specifying remote IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -241,9 +241,9 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following: - Outbound - The rule applies to all outbound traffic -- nbound - The rule applies to all inbound traffic +- Inbound - The rule applies to all inbound traffic -If no inbound filter is provided, then by default all unsolicated inbound traffic will be blocked. +If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -327,7 +327,7 @@ Valid values: - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. +Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -345,7 +345,10 @@ Added in Windows 10, version 1607. The XML schema for provisioning all the fiel Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/Proxy** -A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. +A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected. + +> [!NOTE] +> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used. **VPNv2/**ProfileName**/Proxy/Manual** Optional node containing the manual server settings. @@ -436,7 +439,7 @@ Required for native profiles. Public or routable IP address or DNS name for the The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. -You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -1329,4 +1332,3 @@ Servers - diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 0bdc744338..bdb67e2528 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -1,6 +1,6 @@ --- title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device -description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer, +description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error might occur after some changes are made to the computer, ms.prod: w10 ms.mktglfcycl: ms.sitesec: library @@ -15,27 +15,27 @@ manager: dansimp # Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device -This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. +This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error might occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. ## Causes of the Inaccessible_Boot_Device Stop error -Any one of the following factors may cause the stop error: +Any one of the following factors might cause the stop error: -* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack +* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack -* File system corruption +* File system corruption -* Changes to the storage controller mode or settings in the BIOS +* Changes to the storage controller mode or settings in the BIOS -* Using a different storage controller than the one that was used when Windows was installed +* Using a different storage controller than the one that was used when Windows was installed -* Moving the hard disk to a different computer that has a different controller +* Moving the hard disk to a different computer that has a different controller -* A faulty motherboard or storage controller, or faulty hardware +* A faulty motherboard or storage controller, or faulty hardware -* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions +* In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions -* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) +* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) ## Troubleshoot this error @@ -43,9 +43,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com 1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). -2. On the **Install Windows** screen, select **Next** > **Repair your computer** . +2. On the **Install Windows** screen, select **Next** > **Repair your computer**. -3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. ### Verify that the boot disk is connected and accessible @@ -55,7 +55,7 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com A list of the physical disks that are attached to the computer should be displayed and resemble the following display: -``` +```console Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- @@ -65,7 +65,7 @@ A list of the physical disks that are attached to the computer should be display If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk () in the **GPT* column. -If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. +If the computer uses a basic input/output system (BIOS) interface, there won't be an asterisk in the **Dyn** column. #### Step 2 @@ -73,7 +73,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm `list vol` generates an output that resembles the following display: -``` +```console Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- @@ -86,7 +86,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm ``` >[!NOTE] ->If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. +>If the disk that contains the OS isn't listed in the output, you'll have to engage the OEM or virtualization manufacturer. ### Verify the integrity of Boot Configuration Database @@ -94,57 +94,57 @@ Check whether the Boot Configuration Database (BCD) has all the correct entries. To verify the BCD entries: -1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. - An example output if the computer is UEFI-based: + If the computer is UEFI-based, here's example output: - ``` + ```cmd device partition=\Device\HarddiskVolume2 path \EFI\Microsoft\Boot\bootmgfw.efi ``` - An example output if the machine is BIOS based: - ``` + If the machine is BIOS-based, here's example output: + ```cmd Device partition=C: ``` >[!NOTE] - >This output may not contain a path. + >This output might not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] - > If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension.  -If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . +If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**. -After the backup is completed, run the following command to make the changes: +After the backup completes, run the following command to make the changes:
bcdedit /set *{identifier}* option value
-For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:`
+For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:`
- If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
+ If you want to completely re-create the BCD, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
-If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
+If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location, which is in the specified path in the **bcdedit** command. By default, **bootmgr** in the BIOS partition is in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
If the files are missing, and you want to rebuild the boot files, follow these steps:
-1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows:
+1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here:
-```
-D:\> Mkdir BootBackup
-R:\> Copy *.* D:\BootBackup
-```
+ ```cmd
+ D:\> Mkdir BootBackup
+ R:\> Copy *.* D:\BootBackup
+ ```
-2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows:
+2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here:
```cmd
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
- For example: if we assign the `Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
get-hotfix KB3173424,KB2919355,KB2919442
If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
To determine if these prerequisite updates are installed, run the following PowerShell command:
`get-hotfix KB3173424,KB2919355, KB2919442`.
If the updates are installed, the command will return the installed date in the `InstalledOn` section of the output. ## Issues related to firewall configuration -Error that may be seen in the WU logs: +Error that you might see in Windows Update logs: ```console DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. ``` @@ -150,33 +149,34 @@ DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). ## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. +Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors. See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. ## Device cannot access update files -Check that your device can access these Windows Update endpoints: -- `http://windowsupdate.microsoft.com` -- `http://*.windowsupdate.microsoft.com` -- `https://*.windowsupdate.microsoft.com` -- `http://*.update.microsoft.com` -- `https://*.update.microsoft.com` -- `http://*.windowsupdate.com` -- `http://download.windowsupdate.com` -- `https://download.microsoft.com` -- `http://*.download.windowsupdate.com` -- `http://wustat.windows.com` -- `http://ntservicepack.microsoft.com` -- `https://*.prod.do.dsp.mp.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` -- `https://*.delivery.mp.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - - Allow these endpoints for future use. +Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints: + + +|Protocol |Endpoint URL | +|---------|---------| +|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` | +|HTTP | `emdl.ws.microsoft.com` | +|HTTP | `*.dl.delivery.mp.microsoft.com` | +|HTTP | `*.windowsupdate.com` | +|HTTPS | `*.delivery.mp.microsoft.com` | +|TLS 1.2 | `*.update.microsoft.com` | +|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` | + +> [!NOTE] +> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. + +The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. + ## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: + 1. Start Windows PowerShell as an administrator. 2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". 3. Run \$MUSM.Services. @@ -192,14 +192,14 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can |- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| ## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: +In this example, per the Group Policy set through registry, the system is configured to use WSUS to download updates (note the second line): ```console HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +"UseWUServer"=dword:00000001 ``` -From the WU logs: +From Windows Update logs: ```console 2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] 2018-08-06 09:33:31:085 480 1118 Agent ********* @@ -215,7 +215,7 @@ From the WU logs: In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration. ```console 2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 07a8ea153b..2fad5a8fc9 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -36,6 +36,7 @@ "globalMetadata": { "audience": "ITPro", "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "ms.topic": "article", "feedback_system": "GitHub", diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index f7ff32cbfe..0f24cde486 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -33,6 +33,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index a1832d8486..b1c3b25c91 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1638,7 +1638,7 @@ The following fields are available: - **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -1786,7 +1786,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: - **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. - **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function. - **LongDateFormat** The long date format the user has selected. @@ -6052,7 +6052,7 @@ The following fields are available: ### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript -This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly. +This event is triggered whenever Microsoft Defender for Endpoint onboarding script is run. The data collected with this event is used to keep Windows performing properly. The following fields are available: diff --git a/windows/security/docfx.json b/windows/security/docfx.json index ab00e42eba..1998bdf279 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -33,6 +33,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article", "manager": "dansimp", "audience": "ITPro", diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 742dd80951..1d0b90717a 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard 2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**. +3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. Here's an example: diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md index 246c89eb92..542eec5756 100644 --- a/windows/security/includes/machineactionsnote.md +++ b/windows/security/includes/machineactionsnote.md @@ -1,6 +1,6 @@ --- -title: Perform a Machine Action via the Microsoft Defender ATP API -description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API. +title: Perform a Machine Action via the Microsoft Defender for Endpoint API +description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API. ms.date: 08/28/2017 ms.reviewer: manager: dansimp @@ -10,4 +10,4 @@ ms.prod: w10 --- >[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP. +> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender for Endpoint. diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md index a83544340f..a008aa45d7 100644 --- a/windows/security/includes/prerelease.md +++ b/windows/security/includes/prerelease.md @@ -1,6 +1,6 @@ --- -title: Microsoft Defender ATP Pre-release Disclaimer -description: Disclaimer for pre-release version of Microsoft Defender ATP. +title: Microsoft Defender for Endpoint Pre-release Disclaimer +description: Disclaimer for pre-release version of Microsoft Defender for Endpoint. ms.date: 08/28/2017 ms.reviewer: manager: dansimp diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 131a256f82..2b79e081bc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -62,7 +62,7 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. > [!IMPORTANT] -> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/). +> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 017eb64762..d3ff0fb615 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -84,7 +84,7 @@ These requirements help protect you from rootkits while allowing you to run any - **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. - **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. -To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx). +To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems. diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 69a9d636c7..3b223b9331 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -37,9 +37,9 @@ There are no system access control lists (SACLs) for shared folders. If this pol | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. | -| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | -| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | +| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. | +| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be high (if they are not File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. | +| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index e9047b6c8a..5775f97220 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -1,6 +1,6 @@ --- title: Audit Group Membership (Windows 10) -description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC. +description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 ms.reviewer: manager: dansimp @@ -20,8 +20,7 @@ ms.date: 04/19/2017 - Windows 10 - Windows Server 2016 - -Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer. +By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. @@ -33,15 +32,15 @@ Multiple events are generated if the group membership information cannot fit in **Event volume**: -- Low on a client computer. +- Low on a client computer. -- Medium on a domain controller or network servers. +- Medium on a domain controller or network servers. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | +| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | +| Workstation | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index c4d6606795..011a5d397c 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -23,7 +23,7 @@ ms.date: 07/16/2018 Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. -These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to. +These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to. There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. @@ -31,13 +31,13 @@ Logon events are essential to understanding user activity and detecting potentia **Event volume**: High. -This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. +This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index f1227802bd..b75e993891 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -1,6 +1,6 @@ --- -title: Audit Non Sensitive Privilege Use (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. +title: Audit Non-Sensitive Privilege Use (Windows 10) +description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 ms.reviewer: manager: dansimp @@ -14,14 +14,14 @@ author: dansimp ms.date: 04/19/2017 --- -# Audit Non Sensitive Privilege Use +# Audit Non-Sensitive Privilege Use **Applies to** - Windows 10 - Windows Server 2016 -Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: +Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: - Access Credential Manager as a trusted caller diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index af17bfed1e..53466cf41c 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -1,8 +1,8 @@ --- -title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +title: Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ms.reviewer: ms.author: dansimp -description: This topic lists new and updated topics in the WWindows Defender ATP content set. +description: This topic lists new and updated topics in the Defender for Endpoint content set. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,11 +16,11 @@ ms.localizationpriority: medium --- # Change history for threat protection -This topic lists new and updated topics in the [Microsoft Defender ATP](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation. +This topic lists new and updated topics in the [Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation. ## August 2018 New or changed topic | Description ---------------------|------------ -[Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform. +[Microsoft Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform. diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index add9bc1309..f37748f9d5 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -13,13 +13,13 @@ manager: dansimp audience: ITPro --- -# How to control USB devices and other removable media using Microsoft Defender ATP +# How to control USB devices and other removable media using Microsoft Defender for Endpoint -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: +Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: -1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity. +1. [Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity. 2. Configure to allow or block only certain removable devices and prevent threats. 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. @@ -28,22 +28,22 @@ Microsoft recommends [a layered approach to securing removable media](https://ak - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware. - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB. - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in. -3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). +3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). 4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral. >[!Note] ->These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender ATP and Azure Information Protection. +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection. ## Discover plug and play connected events -You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. -For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +You can view plug and play connected events in Microsoft Defender for Endpoint advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Defender for Endpoint advanced hunting queries, see the [Microsoft Defender for Endpoint hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). -Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration. +Sample Power BI report templates are available for Microsoft Defender for Endpoint that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration. ## Allow or block removable devices -The following table describes the ways Microsoft Defender ATP can allow or block removable devices based on granular configuration. +The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration. | Control | Description | |----------|-------------| @@ -54,11 +54,11 @@ The following table describes the ways Microsoft Defender ATP can allow or block | [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. | | [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. | | [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. | -| [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. | +| [Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings) | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. | ### Restrict USB drives and other peripherals -To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB drives and other peripherals. +To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals. | Control | Description |----------|-------------| @@ -75,7 +75,7 @@ The above policies can also be set through the [Device Installation CSP settings > [!Note] > Always test and refine these settings with a pilot group of users and devices first before applying them in production. -For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). +For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). #### Allow installation and usage of USB drives and other peripherals @@ -189,7 +189,7 @@ Allowing installation of specific devices requires also enabling [DeviceInstalla ### Prevent installation of specifically prohibited peripherals -Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options: +Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options: - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). @@ -212,26 +212,26 @@ Using Intune, you can limit the services that can use Bluetooth through the ["Bl  -### Use Microsoft Defender ATP baseline settings +### Use Microsoft Defender for Endpoint baseline settings -The Microsoft Defender ATP baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings. +The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.  ## Prevent threats from removable storage -Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can help identify and block malicious files on removable storage devices. +Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices. -Microsoft Defender ATP can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. +Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge. >[!NOTE] >Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization. -The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage. +The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage. -For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://aka.ms/devicecontrolblog). +For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://aka.ms/devicecontrolblog). | Control | Description | |----------|-------------| @@ -327,7 +327,7 @@ For information on device control related advance hunting events and examples on ## Respond to threats -You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors. +You can create custom alerts and automatic response actions with the [Microsoft Defender for Endpoint Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender for Endpoint connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors. For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine. diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 35846937a0..8dc3221ed3 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -16,9 +16,7 @@ ms.reviewer: # Enable virtualization-based protection of code integrity -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md index 3ebdf7bf95..2d935942a3 100644 --- a/windows/security/threat-protection/device-guard/memory-integrity.md +++ b/windows/security/threat-protection/device-guard/memory-integrity.md @@ -16,9 +16,7 @@ manager: dansimp # Memory integrity -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index d594900ce7..535e713ba2 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -17,9 +17,7 @@ ms.author: dansimp # Baseline protections and additional qualifications for virtualization-based protection of code integrity -**Applies to** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 4ddfd7b193..88ac6667fb 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,6 +1,6 @@ --- title: Threat Protection (Windows 10) -description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,12 +17,12 @@ ms.topic: conceptual --- # Threat Protection -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. > [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). -
Microsoft Defender ATP
Microsoft Defender for Endpoint
 Threat & vulnerability management |
@@ -37,7 +37,7 @@ ms.topic: conceptual
|||||||||||||
@@ -73,7 +73,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) @@ -98,7 +98,7 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
-In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) @@ -107,16 +107,16 @@ In addition to quickly responding to advanced attacks, Microsoft Defender ATP of **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
-Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) -- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) +- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) **[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. +Integrate Microsoft Defender for Endpoint into your existing workflows. - [Onboarding](microsoft-defender-atp/onboard-configure.md) - [API and SIEM integration](microsoft-defender-atp/configure-siem.md) - [Exposed APIs](microsoft-defender-atp/apis-intro.md) @@ -125,14 +125,14 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
- Microsoft Defender ATP directly integrates with various Microsoft solutions, including: + Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: - Intune -- Office 365 ATP -- Azure ATP -- Azure Security Center +- Microsoft Defender for Office 365 +- Microsoft Defender for Identity +- Azure Defender - Skype for Business - Microsoft Cloud App Security -**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. +**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
+ With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index c7b63fd5fd..f7895be9f2 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -37,11 +37,11 @@ Several notable threats, including Wannacry, exploit the Server Message Block (S Examples of exploit kits: -- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle) +- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle) -- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino) +- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK) -- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu) +- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu) To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index a5f4583231..9be24dcbe2 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -98,6 +98,6 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index d70c3f606b..f2cd0a919e 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -64,7 +64,7 @@ If in doubt, contact the business by known channels to verify if any suspicious * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services. -* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. +* Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. ## What to do if you've been a victim of a phishing scam diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 3313e1d680..026d1653b0 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -103,11 +103,11 @@ Microsoft provides comprehensive security capabilities that help protect against * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data. -* [Office 365 Advanced Threat Protection](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. +* [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection. -* [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge. +* [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge. * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account. @@ -117,6 +117,6 @@ Microsoft provides comprehensive security capabilities that help protect against ## What to do with a malware infection -Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. +Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index eb417b74dd..87e0080d20 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -21,7 +21,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 604fc20a9a..613d0bb3b1 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ ms.custom: nextgen **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22146631) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index f141caebc4..3b56a59a48 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 +description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection. keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -10,28 +10,30 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 +ms.date: 11/12/2020 ms.reviewer: manager: dansimp ms.custom: nextgen --- -# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 +# Next-generation protection in Windows [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Windows 10 +- Windows Server 2016 +- Windows Server 2019 ## Microsoft Defender Antivirus: Your next-generation protection -Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities: -- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. -- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date. +- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware. +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats. +- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date. ## Try a demo! @@ -42,7 +44,7 @@ Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microso ## Minimum system requirements -Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: +Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources: - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 6cc3ece08f..964923be28 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -14,7 +14,7 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 10/14/2020 +ms.date: 11/12/2020 --- # Protect security settings with tamper protection @@ -29,7 +29,7 @@ ms.date: 10/14/2020 ## Overview -During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. +During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as: @@ -92,7 +92,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- 1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: - - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) + - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) @@ -132,7 +132,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release > [!IMPORTANT] > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. -If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). @@ -183,9 +183,9 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). +If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). -### Will tamper protection have any impact on third party antivirus registration? +### Will tamper protection have any impact on third-party antivirus registration? No. Third-party antivirus offerings will continue to register with the Windows Security application. @@ -210,7 +210,7 @@ Your regular group policy doesn’t apply to tamper protection, and changes to M > [!NOTE] > A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. -To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings. +To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior using GPO and allow tamper protection to protect your Microsoft Defender Antivirus settings. Some sample Microsoft Defender Antivirus settings: @@ -246,7 +246,7 @@ If a device is off-boarded from Microsoft Defender for Endpoint, tamper protecti Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. -In addition, your security operations team can use hunting queries, such as the following: +In addition, your security operations team can use hunting queries, such as the following example: `DeviceAlertEvents | where Title == "Tamper Protection bypass"` diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 801706b95c..6c91515428 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -21,7 +21,8 @@ manager: dansimp **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 007fa751d5..ab42d2eb12 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -16,7 +16,7 @@ ms.custom: asr # Frequently asked questions - Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 1903c17792..2ead755621 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -17,7 +17,7 @@ ms.custom: asr # Prepare to install Microsoft Defender Application Guard **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4acd29aa2d..74a41b6ffc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -16,8 +16,7 @@ ms.custom: asr # Microsoft Defender Application Guard overview -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 5757f18c10..81623005a4 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -16,7 +16,7 @@ ms.custom: asr # System requirements for Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 11c95b7ebf..928df9d3fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -24,7 +24,7 @@ manager: dansimp Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) > [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. +> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. > [!WARNING] > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 6abe8ff951..48fd0bee7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ |------|---------|--------|--------| |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | -|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.azure-automation.net |Port 443 |Outbound|Yes | > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index ad4b3d8853..0af0c2d391 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -249,12 +249,14 @@ To offboard the Windows server, you can use either of the following methods: 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: ```powershell + $ErrorActionPreference = "SilentlyContinue" # Load agent scripting object $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + $AgentCfg.RemoveCloudWorkspace("WorkspaceID") # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() + ``` ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 368d58eee8..4530161e10 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: ksarens manager: dansimp --- @@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. @@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: -Enabled in **Program settings** | Enabled in **System settings** | Behavior --|-|- -[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** -[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** -[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** -[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option +|Enabled in **Program settings** | Enabled in **System settings** | Behavior | +|:---|:---|:---| +|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** | +|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** | +|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** | +|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option | ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default @@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. @@ -209,41 +209,41 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. -Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet -- | - | - | - -Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available -Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available -Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available -Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -Disable extension points | App-level only | ExtensionPoint | Audit not available -Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available -Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | +|:---|:---|:---|:---| +|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | +|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | +|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | +|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available +|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available +|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available +|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +|Block remote images | App-level only | BlockRemoteImages | Audit not available +|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +|Disable extension points | App-level only | ExtensionPoint | Audit not available +|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall +|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess +|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | +||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | +|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | +|Validate handle usage | App-level only | StrictHandle | Audit not available | +|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | +|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` - +\[2\]: Audit for this mitigation is not available via Powershell cmdlets. ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. -## Related topics +## See also * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 9c552f4e9c..b86fec795a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -26,7 +26,7 @@ ms.topic: conceptual To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). > [!IMPORTANT] -> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions. +> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-for-endpoint-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions. ## Enable the Insider program with Jamf diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 4bbd942ec8..fb00021426 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -50,18 +50,30 @@ This page explains how to create an AAD application, get an access token to Micr ## Create an app -1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role. +1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role. 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.  -3. In the registration from, enter the following information then select **Register**. +3. When the **Register an application** page appears, enter your application's registration information: -  + - **Name** - Enter a meaningful application name that will be displayed to users of the app. + - **Supported account types** - Select which accounts you would like your application to support. - - **Name:** -Your application name- - - **Application type:** Public client + | Supported account types | Description | + |-------------------------|-------------| + | **Accounts in this organizational directory only** | Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory.
This option maps to Azure AD only single-tenant.
This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Azure AD multi-tenant and personal Microsoft accounts. | + | **Accounts in any organizational directory** | Select this option if you would like to target all business and educational customers.
This option maps to an Azure AD only multi-tenant.
If you registered the app as Azure AD only single-tenant, you can update it to be Azure AD multi-tenant and back to single-tenant through the **Authentication** blade. | + | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.
This option maps to Azure AD multi-tenant and personal Microsoft accounts.
If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types. | + + - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application. + - For web applications, provide the base URL of your app. For example, `http://localhost:31544` might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. + - For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as `myapp://auth`. + + To see specific examples for web applications or native applications, check out our [quickstarts](/azure/active-directory/develop/#quickstarts). + + When finished, select **Register**. 4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission: diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-completed-by.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-completed-by.png new file mode 100644 index 0000000000..d41220688e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-completed-by.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md index a446f06755..3cb8685e67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md @@ -2,7 +2,7 @@ title: Manage indicators ms.reviewer: description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. -keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -65,8 +65,13 @@ expirationTime | DateTimeOffset | The expiration time of the indicator in the fo severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional** rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** +category | String | Category of the alert. Examples include: Execution and credential access. **Optional** +mitretechniques| String | MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique. -## Related topics +For more information, see [Microsoft Defender ATP alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). + + +## See also - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index 599bf6a2fd..a9e415015a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -29,7 +29,6 @@ ms.date: 04/24/2018 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -[!include[Prerelease information](../../includes/prerelease.md)] >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 04b95ce93b..2e17fbc6fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -58,6 +58,9 @@ Wildcard | Description | Example | Matches | Does not match \* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log` ? | Matches any single character | `file?.log` | `file1.log`
`file2.log` | `file123.log` +>[!NOTE] +>The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist. + ## How to configure the list of exclusions ### From the management console diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 7c00c8af5a..b40f3ea88c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -23,25 +23,16 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +> [!IMPORTANT] +> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md). > [!IMPORTANT] -> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender for Endpoint for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender for Endpoint for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11. -> -> The update is applicable to devices running macOS version 10.15.4 or later. -> -> To ensure that the Microsoft Defender for Endpoint for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender for Endpoint for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions. -> -> Timing: -> - Organizations that previously opted into Microsoft Defender for Endpoint preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender for Endpoint for Mac agent update **by August 10, 2020**. -> - Organizations that do not participate in public previews for Microsoft Defender for Endpoint features, must be ready **by September 07, 2020**. -> -> Action is needed by IT administrator. Review the steps below and assess the impact on your organization: -> -> 1. Deploy the specified remote configuration to eligible macOS devices before Microsoft publishes the new agent version.
-> Even though Microsoft Defender for Endpoint for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender for Endpoint for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade. -> -> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). -> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update. +> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app. + +## 101.13.75 + +- Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur) +- Bug fixes ## 101.10.72 @@ -57,9 +48,6 @@ ms.topic: conceptual - This product version has been validated on macOS Big Sur 11 beta 9 - > [!IMPORTANT] - > Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. - - The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender for Endpoint for Mac](mac-resources.md#configuring-from-the-command-line) > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index c4df93659f..fae0dfc00e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article --- -# View and organize the Microsoft Defender ATP Devices list +# View and organize the Microsoft Defender for Endpoint Devices list [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint)](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days. @@ -61,7 +61,7 @@ The exposure level reflects the current exposure of the device based on the cumu If the exposure level says "No data available," there are a few reasons why this may be the case: - Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed -- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md) +- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) - Device with stale agent (very unlikely) ### OS Platform @@ -106,4 +106,4 @@ Filter the list based on the grouping and tagging that you've added to individua ## Related topics -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 9a210d00da..92810d1d1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -17,17 +17,17 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Manage Microsoft Defender Advanced Threat Protection alerts +# Manage Microsoft Defender for Endpoint alerts [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) -Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. +Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device. @@ -43,7 +43,7 @@ If an alert is not yet assigned, you can select **Assign to me** to assign the a ## Suppress alerts -There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. +There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Defender for Endpoint lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. @@ -82,7 +82,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Microsoft Defender ATP APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. + You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Defender for Endpoint APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Defender for Endpoint APIs. 5. Enter a rule name and a comment. @@ -120,10 +120,10 @@ Added comments instantly appear on the pane. ## Related topics - [Manage suppression rules](manage-suppression-rules.md) -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md index 36d77dce37..94a77a1007 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md @@ -61,7 +61,7 @@ The following table lists various tasks you can perform to configure Microsoft D |**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) | |**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) | |**If necessary, specify exclusions for Microsoft Defender Antivirus**
*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)
[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)
[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)| -|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | +|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint ](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) | |**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations
*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*
*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) | |**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) | |**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices
*[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)
[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) | diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index ab130cb910..501b9ea75e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -50,7 +50,6 @@ Whether taken automatically or upon approval, remediation actions following an a - Remove a registry key - Kill a process - Stop a service -- Remove a registry key - Disable a driver - Remove a scheduled task @@ -70,7 +69,7 @@ The following table summarizes remediation actions following an automated invest |Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.
No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) | |**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) | -In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). +In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). > [!TIP] > To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md index 0b5d31597f..a82c4c98cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md @@ -25,11 +25,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index 29529c8847..c60093cd86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -25,11 +25,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) Automation folder exclusions allow you to specify folders that the Automated investigation will skip. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index f0cd8403c1..4fa8c2f463 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -19,13 +19,13 @@ ms.collection: ms.topic: article --- -# Manage Microsoft Defender ATP incidents +# Manage Microsoft Defender for Endpoint incidents [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index d5186273e9..e13c8bff5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -24,22 +24,22 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to. -Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). +Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). **Cloud detection engine**
-The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC. +The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC. **Endpoint prevention engine**
-The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run. +The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run. **Automated investigation and remediation engine**
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad". @@ -64,5 +64,5 @@ You can create an indicator for: ## Related topics - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) -- [Use the Microsoft Defender ATP indicators API](ti-indicator.md) +- [Use the Microsoft Defender for Endpoint indicators API](ti-indicator.md) - [Use partner integrated solutions](partner-applications.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index d13aa975d2..bf6e43d5b2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index c3176ac54a..83cad3a708 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -24,19 +24,19 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink) -Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. +Defender for Endpoint supports a wide variety of options to ensure that customers can easily adopt the platform. -Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements. +Acknowledging that customer environments and structures can vary, Defender for Endpoint was created with flexibility and granular control to fit varying customer requirements. ## Endpoint onboarding and portal access Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for devices management. -Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: +Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams - Tiered model security operations teams - Fully segregated divisions with single centralized global security operations teams @@ -44,30 +44,30 @@ Microsoft Defender ATP provides fine-grained control over what users with access ## Available APIs The Microsoft Defender ATP solution is built on top of an integration-ready platform. -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. +Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. - + -The Microsoft Defender ATP APIs can be grouped into three: -- Microsoft Defender ATP APIs +The Defender for Endpoint APIs can be grouped into three: +- Microsoft Defender for Endpoint APIs - Raw data streaming API - SIEM integration -## Microsoft Defender ATP APIs +## Microsoft Defender for Endpoint APIs -Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. +Defender for Endpoint offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. -Watch this video for a quick overview of Microsoft Defender ATP's APIs. +Watch this video for a quick overview of Defender for Endpoint's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] -The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md). +The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md). The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others. ## Raw data streaming API -Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. +Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. -The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. +The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. For more information, see, [Raw data streaming API](raw-data-export.md). @@ -76,7 +76,7 @@ For more information, see, [Raw data streaming API](raw-data-export.md). When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see, [SIEM integration](enable-siem-integration.md) ## Related topics -- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md) +- [Access the Microsoft Defender for Endpoint APIs ](apis-intro.md) - [Supported APIs](exposed-apis-list.md) - [Technical partner opportunities](partner-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md index e9fa0412b0..efb438eb60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md @@ -24,12 +24,12 @@ ms.date: 09/22/2020 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho --- -# Migrate from McAfee to Microsoft Defender Advanced Threat Protection +# Migrate from McAfee to Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration. +If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration. ## The migration process diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 8813e53523..858c7f0d06 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -34,10 +34,10 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho ||*You are here!* | | -**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: +**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: 1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). 2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus). -3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee). +3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee). 4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus). 5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint). 6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 16dd867662..98816a74b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -25,26 +25,26 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. +To benefit from Microsoft Defender for Endpoint cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. -> See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security. +> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security. -## Enable Microsoft Cloud App Security in Microsoft Defender ATP +## Enable Microsoft Cloud App Security in Microsoft Defender for Endpoint 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. -Once activated, Microsoft Defender ATP will immediately start forwarding discovery signals to Cloud App Security. +Once activated, Microsoft Defender for Endpoint will immediately start forwarding discovery signals to Cloud App Security. ## View the data collected -To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). +To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index a23303c507..87814b1b25 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -19,12 +19,12 @@ ms.topic: conceptual ms.date: 10/18/2018 --- -# Microsoft Cloud App Security in Microsoft Defender ATP overview +# Microsoft Cloud App Security in Defender for Endpoint overview [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -33,9 +33,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th >[!NOTE] >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later. -## Microsoft Defender ATP and Cloud App Security integration +## Microsoft Defender for Endpoint and Cloud App Security integration -Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. +Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender for Endpoint integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ] @@ -44,9 +44,9 @@ The integration provides the following major improvements to the existing Cloud - Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. -- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go. +- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Defender for Endpoint and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go. -- Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. +- Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index b37274b4cb..0969e12f2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -24,14 +24,14 @@ ms.topic: conceptual > For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] +>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob] -Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: +Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. +- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint. - **Cloud security analytics**: Leveraging big-data, device-learning, and @@ -42,12 +42,12 @@ Microsoft Defender ATP uses the following combination of technology built into W - **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat - intelligence enables Microsoft Defender ATP to identify attacker + intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data. -
Microsoft Defender ATP
Microsoft Defender for Endpoint
| Threat & Vulnerability Management |
@@ -69,11 +69,11 @@ Microsoft Defender ATP uses the following combination of technology built into W
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0]
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0]
> [!TIP]
-> - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
-> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+> - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
@@ -104,15 +104,15 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**
- 
+
Phase 1: Prepare |
- 
+
Phase 2: Set up |
- 
+
Phase 3: Onboard |
@@ -54,13 +54,13 @@ Deploying Microsoft Defender ATP is a three-phase process:
You are currently in the onboarding phase.
-These are the steps you need to take to deploy Microsoft Defender ATP:
+These are the steps you need to take to deploy Defender for Endpoint:
- Step 1: Onboard endpoints to the service
- Step 2: Configure capabilities
## Step 1: Onboard endpoints using any of the supported management tools
-The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Microsoft Defender ATP.
+The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
@@ -88,7 +88,7 @@ The tools in the example deployments are:
- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
-Using the mentioned deployment tools above, you'll then be guided in configuring the following Microsoft Defender ATP capabilities:
+Using the mentioned deployment tools above, you'll then be guided in configuring the following Defender for Endpoint capabilities:
- Endpoint detection and response configuration
- Next-generation protection configuration
- Attack surface reduction configuration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 6af7ba9c0f..6f7a10acf3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
**Applies to:**
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index 3e8077b6b8..9135f4ebe0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index 0f3c036938..f79f0792f3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -25,15 +25,15 @@ ms.topic: conceptual
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
+Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5]
-Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors.
+Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors.
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
index 8b32269fe0..c1705995b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
@@ -22,9 +22,9 @@ ms.date: 09/07/2018
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP.
+Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender for Endpoint.
| Feature | Description |
|------------|-------------|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
index 822b5afaab..3f1a57820c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@@ -18,21 +18,22 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Partner applications in Microsoft Defender ATP
+# Partner applications in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
+Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
-The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
+The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender for Endpoint; enabling security teams to effectively respond better to modern threats.
+
+Microsoft Defender for Endpoint seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as:
-Microsoft Defender ATP seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as:
- SIEM
- Ticketing and IT service management solutions
- Managed security service providers (MSSP)
@@ -47,16 +48,18 @@ Microsoft Defender ATP seamlessly integrates with existing security solutions. T
Logo |Partner name | Description
:---|:---|:---
-| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Microsoft Defender ATP is configured properly by launching continuous attacks safely on production assets
-| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel
- | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Microsoft Defender ATP findings with simulated attacks to validate accurate detection and effective response actions
+| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
+
+| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender for Endpoint into Azure Sentinel
+ | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions
 | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
- | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Microsoft Defender ATP
- | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections
- | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API
- | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations
+ | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Defender for Endpoint
+
+ | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Defender for Endpoint detections
+ | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Defender for Endpoint Alerts to RSA NetWitness leveraging Microsoft Graph Security API
+ | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations
 | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities
- | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
+ | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
 | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
### Orchestration and automation
@@ -64,31 +67,31 @@ Logo |Partner name | Description
Logo |Partner name | Description
:---|:---|:---
- | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks
- | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye.
- | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
- | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
- | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes
+ | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks
+ | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye.
+ | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
+ | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
+ | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes
 | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
- | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Microsoft Defender ATP together
+ | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together
### Threat intelligence
Logo |Partner name | Description
:---|:---|:---
- | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Microsoft Defender ATP environment
- | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Microsoft Defender ATP using MineMeld
- | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Microsoft Defender ATP indicators
+ | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment
+ | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld
+ | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators
### Network security
Logo |Partner name | Description
:---|:---|:---
- | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Microsoft Defender ATP is installed and updated on each endpoint before allowing access to the network
+ | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network
 | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
- | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender ATP environment
+ | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment
 |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
@@ -100,13 +103,13 @@ Logo |Partner name | Description
| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata
| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
 | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices
-| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense
+| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense
## Additional integrations
Logo |Partner name | Description
:---|:---|:---
-| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Microsoft Defender ATP with advanced Web Filtering
+| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Defender for Endpoint with advanced Web Filtering
| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats
@@ -114,27 +117,27 @@ Logo |Partner name | Description
## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
+Defender for Endpoint supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
## Ticketing and IT service management
-Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
+Ticketing solution integration helps to implement manual and automatic response processes. Defender for Endpoint can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
## Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
## External alert correlation and Automated investigation and remediation
-Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
+Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale.
Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-External alerts can be pushed into Microsoft Defender ATP and is presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack.
+External alerts can be pushed into Defender for Endpoint and is presented side by side with additional device-based alerts from Defender for Endpoint. This view provides a full context of the alert — with the real process and the full story of attack.
## Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
-Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match.
+Defender for Endpoint allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match.
-Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
+Defender for Endpoint currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
## Support for non-Windows platforms
-Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
+Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
index 7aa19efe08..349dc8d30d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
@@ -18,42 +18,42 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Microsoft Defender ATP partner opportunities and scenarios
+# Microsoft Defender for Endpoint partner opportunities and scenarios
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP.
+Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Defender for Endpoint.
-The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP.
+The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Defender for Endpoint.
## Scenario 1: External alert correlation and Automated investigation and remediation
-Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
+Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale.
Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-Microsoft Defender ATP adds support for this scenario in the following forms:
+Defender for Endpoint adds support for this scenario in the following forms:
-- External alerts can be pushed into Microsoft Defender ATP and presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
+- External alerts can be pushed into Defender for Endpoint and presented side by side with additional device-based alerts from Defender for Endpoint. This view provides the full context of the alert - with the real process and the full story of attack.
-- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
+- Once an alert is generated, the signal is shared across all Defender for Endpoint protected endpoints in the enterprise. Defender for Endpoint takes immediate automated or operator-assisted response to address the alert.
## Scenario 2: Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
## Scenario 3: Indicators matching
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Defender for Endpoint and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios.
-Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
+Follow the steps in [Become a Microsoft Defender for Endpoint partner](get-started-partner-integration.md) to integrate your solution in Defender for Endpoint.
## Related topic
- [Overview of management and APIs](management-apis.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 699cc87da7..e4679370bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -23,9 +23,9 @@ ms.topic: conceptual
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
@@ -33,7 +33,7 @@ You can use [Microsoft Defender Security Center](https://securitycenter.windows.
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
-- Change Microsoft Defender ATP settings, including time zone and review licensing information
+- Change Microsoft Defender for Endpoint settings, including time zone and review licensing information
## Microsoft Defender Security Center
@@ -42,7 +42,7 @@ When you open the portal, you'll see:
- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
- (2) Search, Community center, Localization, Help and support, Feedback
- 
+ 
> [!NOTE]
> Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
@@ -54,29 +54,29 @@ Area | Description
**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
**Incidents** | View alerts that have been aggregated as incidents.
-**Devices list** | Displays the list of devices that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
+**Devices list** | Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels.
**Alerts queue** | View alerts generated from devices in your organizations.
**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
**Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
-**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
+**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment.
+**Service health** | Provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues.
**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
-**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. **Localization** - Set time zones. **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert. **Feedback** - Provide comments about what you like or what we can do better.
+**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. **Localization** - Set time zones. **Help and support** - Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert. **Feedback** - Provide comments about what you like or what we can do better.
> [!NOTE]
> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
-## Microsoft Defender ATP icons
+## Microsoft Defender for Endpoint icons
The following table provides information on the icons used all throughout the portal:
Icon | Description
:---|:---
-| Microsoft Defender ATP logo
+| Microsoft Defender for Endpoint logo
| Alert – Indication of an activity correlated with advanced attacks.
| Detection – Indication of a malware threat detection.
| Active threat – Threats actively executing at the time of detection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index f74d49ee22..ab2b412ae2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+**Applies to:** [Microsoft Defender for Endpoint]https://go.microsoft.com/fwlink/p/?linkid=2146631)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index 59653a5fc2..335e716372 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -23,9 +23,9 @@ ms.topic: article
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index fe2d128e37..3c320f4601 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -20,30 +20,30 @@ ms.collection:
ms.topic: article
---
-# Prepare Microsoft Defender ATP deployment
+# Prepare Microsoft Defender for Endpoint deployment
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-Deploying Microsoft Defender ATP is a three-phase process:
+Deploying Defender for Endpoint is a three-phase process:
|
-
+
Phase 1: Prepare |
-
+
Phase 2: Set up |
@@ -68,7 +68,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
You are currently in the preparation phase.
-Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP.
+Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Defender for Endpoint.
## Stakeholders and approval
@@ -111,8 +111,7 @@ required in technologies or processes.
## Role-based access control
-Microsoft recommends using the concept of least privileges. Microsoft Defender
-ATP leverages built-in roles within Azure Active Directory. Microsoft recommends
+Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Azure Active Directory. Microsoft recommends
[review the different roles that are
available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
and choose the right one to solve your needs for each persona for this
@@ -132,7 +131,7 @@ Management](https://docs.microsoft.com/azure/active-directory/active-directory-p
to manage your roles to provide additional auditing, control, and access review
for users with directory permissions.
-Microsoft Defender ATP supports two ways to manage permissions:
+Defender for Endpoint supports two ways to manage permissions:
- **Basic permissions management**: Set permissions to either full access or
read-only. In the case of basic permissions management users with Global
@@ -144,7 +143,7 @@ Microsoft Defender ATP supports two ways to manage permissions:
groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
Microsoft recommends leveraging RBAC to ensure that only users that have a
-business justification can access Microsoft Defender ATP.
+business justification can access Defender for Endpoint.
You can find details on permission guidelines
[here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
@@ -167,16 +166,16 @@ place. The bare minimum every organization should have been an antivirus solutio
Historically, replacing any security solution used to be time intensive and difficult
to achieve due to the tight hooks into the application layer and infrastructure
-dependencies. However, because Microsoft Defender ATP is built into the
+dependencies. However, because Defender for Endpoint is built into the
operating system, replacing third-party solutions is now easy to achieve.
-Choose the component of Microsoft Defender ATP to be used and remove the ones
+Choose the component of Defender for Endpoint to be used and remove the ones
that do not apply. The table below indicates the order Microsoft recommends for
how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | +| Endpoint Detection & Response (EDR) | Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | |Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | | Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus. - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 | | Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP help protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md index 0609532537..8c1f70f474 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md @@ -16,15 +16,15 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- -# Turn on the preview experience in Microsoft Defender ATP +# Turn on the preview experience in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) Turn on the preview experience setting to be among the first to try upcoming features. @@ -36,8 +36,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Related topics -- [Update general settings in Microsoft Defender ATP](data-retention-settings.md) -- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md) -- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Update general settings in Microsoft Defender for Endpoint](data-retention-settings.md) +- [Turn on advanced features in Microsoft Defender for Endpoint](advanced-features.md) +- [Configure email notifications in Microsoft Defender for Endpoint](configure-email-notifications.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 5ed93079a0..f8bc3dccad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -19,7 +19,7 @@ ms.collection: ms.topic: conceptual --- -# Microsoft Defender ATP preview features +# Microsoft Defender for Endpoint preview features [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -27,19 +27,19 @@ ms.topic: conceptual >The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities. +The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities. > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) -Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. >[!TIP] >Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us` -For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md). +For more information on new capabilities that are generally available, see [What's new in Defender for Endpoint](whats-new-in-microsoft-defender-atp.md). ## Turn on preview features @@ -54,22 +54,22 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md) Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS. +- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS. -- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android. +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, and use Microsoft Defender for Endpoint for Android. -- [Web Content Filtering](web-content-filtering.md) Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. +- [Web Content Filtering](web-content-filtering.md) Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. - [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization. - [Information protection](information-protection-in-windows-overview.md) -Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. +Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. >[!NOTE] >Partially available from Windows 10, version 1809. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index a1c3772e14..516c64e1b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -20,28 +20,28 @@ ms.collection: ms.topic: article --- -# Set up Microsoft Defender ATP deployment +# Set up Microsoft Defender for Endpoint deployment [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Deploying Microsoft Defender ATP is a three-phase process: +Deploying Defender for Endpoint is a three-phase process:
|