diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index b23dc6e57b..46ae254e64 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -142,6 +142,8 @@ ### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) +### [eUICCs CSP](euiccs-csp.md) +#### [eUICCs DDF file](euiccs-ddf-file.md) ### [FileSystem CSP](filesystem-csp.md) ### [Firewall CSP](firewall-csp.md) #### [Firewall DDF file](firewall-ddf-file.md) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md new file mode 100644 index 0000000000..127aa77257 --- /dev/null +++ b/windows/client-management/mdm/euiccs-csp.md @@ -0,0 +1,87 @@ +--- +title: eUICCs CSP +description: eUICCs CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 11/01/2017 +--- + +# eUICCs CSP + + +The eUICCs configuration service provider... This CSP was added in windows 10, version 1709. + +The following diagram shows the eUICCs configuration service provider in tree format. + +![euiccs csp](images/provisioning-csp-euiccs.png) + +**./Vendor/MSFT/eUICCs** +Root node. + +**_eUICC_** +Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + +Supported operation is Get. + +**_eUICC_/Identifier** +Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + +Supported operation is Get. Value type is string. + +**_eUICC_/IsActive** +Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/Profiles** +Interior node. Required. Represents all enterprise-owned profiles. + +Supported operation is Get. + +**_eUICC_/Profiles/_ICCID_** +Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + +Supported operations are Add, Get, and Delete. + +**_eUICC_/Profiles/_ICCID_/ServerName** +Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/MatchingID** +Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/State** +Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/Policies** +Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). + +Supported operation is Get. + +**_eUICC_/Policies/LocalUIEnabled** +Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + +Supported operations are Get and Replace. Value type is boolean. Default value is true. + +**_eUICC_/Actions** +Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active). + +Supported operation is Get. + +**_eUICC_/Actions/ResetToFactoryState** +Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + +Supported operation is Execute. Value type is string. + +**_eUICC_/Actions/Status** +Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + +Supported value is Get. Value type is integer. Default is 0. \ No newline at end of file diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md new file mode 100644 index 0000000000..d3d539c88e --- /dev/null +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -0,0 +1,343 @@ +--- +title: eUICCs DDF file +description: eUICCs DDF file +ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 06/19/2017 +--- + +# eUICCs DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + eUICCs + ./Vendor/MSFT + + + + + Subtree for all embedded UICCs (eUICC) + + + + + + + + + + + + + + com.microsoft/1.0/MDM/eUICCs + + + + + + + + + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + + + + + + + + + + eUICC + + + + + + Identifier + + + + + Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + + + + + + + + + + + + + + text/plain + + + + + IsActive + + + + + Indicates whether this eUICC is physically present and active. Updated only by the LPA. + + + + + + + + + + + text/plain + + + + + Profiles + + + + + Represents all enterprise-owned profiles. + + + + + + + + + + + + + + + + + + + + + + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + + + + + + + + ICCID + + + + + + ServerName + + + + + + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + MatchingID + + + + + + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + State + + + + + 1 + Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + + + Policies + + + + + Device policies associated with the eUICC as a whole (not per-profile). + + + + + + + + + + + + + + + LocalUIEnabled + + + + + + true + Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + + + + + + + + + + + text/plain + + + + + + Actions + + + + + Actions that can be performed on the eUICC as a whole (when it is active). + + + + + + + + + + + + + + + ResetToFactoryState + + + + + An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + + + + + + + + + + + text/plain + + + + + Status + + + + + 0 + Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index b15f378072..94f9d6bbf9 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -263,7 +263,7 @@ The following diagram shows the Firewall configuration service provider in tree

If not specified - a new rule is disabled by default.

Boolean value. Supported operations are Get and Replace.

-**FirewallRules_FirewallRuleName_/Profiles** +**FirewallRules/_FirewallRuleName_/Profiles**

Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.

If not specified, the default is All.

Value type is integer. Supported operations are Get and Replace.

@@ -290,7 +290,7 @@ The following diagram shows the Firewall configuration service provider in tree

Value type is string. Supported operations are Get and Replace.

-**FirewallRules/FirewallRuleName/InterfaceTypes** +**FirewallRules/_FirewallRuleName_/InterfaceTypes**

Comma separated list of interface types. Valid values:

+ +[eUICCs CSP](euiccs-csp.md) +

Added new CSP in Windows 10, version 1709.

+ [AssignedAccess CSP](assignedaccess-csp.md)

Added SyncML examples for the new Configuration node.

diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index d01dd5566e..646d49acd0 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -175,14 +175,6 @@ ms.date: 11/01/2017

Most restricted value is 0. -

Benefit to the customer: - -

Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. - -

Sample scenario: - -

An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. -

diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 986357c45a..c312c4ddc9 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -60,7 +60,7 @@ #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) ###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) ###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) ###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) @@ -71,6 +71,7 @@ ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) ###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) ###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) ###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) @@ -142,13 +143,13 @@ #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) +### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index a4b8d93002..f262dc08a7 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -47,20 +47,20 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti ## Sort, filter, and group the alerts list You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. -**Time period**
+### Time period - 1 day - 3 days - 7 days - 30 days - 6 months -**OS Platform**
+### OS Platform - Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Other -**Severity**
+### Severity Alert severity | Description :---|:--- @@ -71,7 +71,21 @@ Informational
(Grey) | Informational alerts are those that might not be con Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. -**Detection source**
+#### Understanding alert severity +It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. + +The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. + +The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. + +So, for example: +- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. + + +### Detection source - Windows Defender AV - Windows Defender ATP - Windows Defender SmartScreen @@ -80,7 +94,7 @@ Reviewing the various alerts and their severity can help you decide on the appro >[!NOTE] >The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product. -**View**
+### View - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. - **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together. diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index fbef87a600..d216067757 100644 --- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus compatibility +title: Windows Defender Antivirus compatibility with Windows Defender ATP description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 10/17/2017 --- -# Windows Defender Antivirus compatibility +# Windows Defender Antivirus compatibility with Windows Defender ATP **Applies to:** diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index b196a3f4fa..8003743e5d 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> It can take up to 15 minutes for the alert to appear in the portal. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 10734a86ca..f5bdb18d2e 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a file @@ -29,17 +29,26 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +>[!IMPORTANT] +>These response actions are only available for machines on Windows 10, version 1703 or later. You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. ## Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. +>[!IMPORTANT] +>You can only take this action if: +> - The machine you're taking the action on is running Windows 10, version 1703 or later +> - The file does not belong to trusted third-party publishers or not signed by Microsoft +> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. +The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. + +>[!NOTE] +>You’ll be able to remove the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: @@ -70,7 +79,7 @@ When the file is being removed from an endpoint, the following notification is s In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. ->[!NOTE] +>[!IMPORTANT] >The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications. ![Image of action button turned off](images/atp-file-action.png) @@ -97,11 +106,12 @@ You can roll back and remove a file from quarantine if you’ve determined that ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. ->[!NOTE] ->This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

-This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later. - >[!IMPORTANT] +>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +>- This response action is available for machines on Windows 10, version 1703 or later. + +>[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 148544e3fc..3ab0892e62 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a machine @@ -24,20 +24,19 @@ ms.date: 10/17/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. - - +>[!IMPORTANT] +> These response actions are only available for machines on Windows 10, version 1703 or later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. +>[!IMPORTANT] +> This response action is available for machines on Windows 10, version 1703 or later. + You can download the package (Zip file) and investigate the events that occurred on a machine. The package contains the following folders: @@ -89,8 +88,10 @@ The package contains the following folders: ## Run Windows Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. ->[!NOTE] -> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. +>[!IMPORTANT] +>- This action is available for machines on Windows 10, version 1709 or later. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + 1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: @@ -121,6 +122,11 @@ The machine timeline will include a new event, reflecting that a scan action was ## Restrict app execution In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. +>[!IMPORTANT] +> - This action is available for machines on Windows 10, version 1709 or later. +> - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). + + The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. >[!NOTE] @@ -171,9 +177,14 @@ Depending on the severity of the attack and the state of the machine, you can ch ## Isolate machines from the network Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +>[!IMPORTANT] +>- Full isolation is available for machines on Windows 10, version 1703. +>- Selective isolation is available for machines on Windows 10, version 1709 or later. +>- + This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 1fbdee219b..29fbde030a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -52,7 +52,7 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur - Windows Defender Device Guard - [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) -You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. Each of the features in Windows Defender EG have slightly different requirements: