deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 22:33:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into troubleshoot-sccm

Browse Source
This commit is contained in:
Joey Caparas
2020-04-06 10:49:01 -07:00
parent b48c0b1616 387d6e990e
commit df48f38eeb
480 changed files with 6759 additions and 5026 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/identity-protection/TOC.md
View File

@ -24,6 +24,7 @@
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
### [Hardware readiness tool](credential-guard/dg-readiness-tool.md)
### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)

35
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -12,7 +12,6 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 03/01/2019
ms.reviewer:
---
@ -86,22 +85,24 @@ You can do this by using either the Control Panel or the Deployment Image Servic
```
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
NOTE: In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
> [!NOTE]
> [!TIP]
> You can also add these features to an online image by using either DISM or Configuration Manager.
#### Enable virtualization-based security and Windows Defender Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
@ -112,7 +113,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg_readiness_tool.md).
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool.ps1 -Enable -AutoReboot
@ -135,7 +136,7 @@ You can view System Information to check that Windows Defender Credential Guard
![System Information](images/credguard-msinfo32.png)
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Ready
@ -152,8 +153,8 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
- The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means its not configured to run.
- The second variable: 0 means its configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
- The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
@ -165,9 +166,11 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
3. If you also wish to disable virtualization-based security delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
@ -188,14 +191,18 @@ To disable Windows Defender Credential Guard, you can use the following set of p
```
5. Restart the PC.
6. Accept the prompt to disable Windows Defender Credential Guard.
7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
>
>```
>bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
>bcdedit /set vsmlaunchtype off
>```
> [!NOTE]
> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
@ -206,7 +213,7 @@ For more info on virtualization-based security and Windows Defender Device Guard
#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

3
windows/security/identity-protection/credential-guard/dg_readiness_tool.md → windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -12,7 +12,6 @@ ms.author: stsyfuhs
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 09/18/2019
ms.reviewer:
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
@ -960,7 +959,7 @@ function PrintToolVersion
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""

2
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -42,7 +42,7 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models
Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: *Key trust* or *certificate trust*.
Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.

6
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -154,6 +154,9 @@ These procedures configure NTFS and share permissions on the web server to allow
![CDP Share Permissions](images/aadj/cdp-share-permissions.png)
9. In the **Advanced Sharing** dialog box, click **OK**.
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
#### Disable Caching
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
@ -325,6 +328,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
14. Click **Save**
15. Sign-out of the Azure portal.
> [!IMPORTANT]
> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication).
## Section Review
> [!div class="checklist"]
> * Configure Internet Information Services to host CRL distribution point

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -122,11 +122,9 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
>
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
#### Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
#### Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -37,7 +37,7 @@ You are ready to configure device registration for your hybrid environment. Hybr
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/).
Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
@ -49,7 +49,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. Configure Azure Device Registration (*You are here*)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -102,8 +102,8 @@ Organizations using older directory synchronization technology, such as DirSync
<br>
## Federation with Azure ##
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
## Federation with Azure
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
> [!div class="checklist"]
> * Non-federated environments

229
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -18,9 +18,9 @@ ms.reviewer:
# Smart Card Group Policy and Registry Settings
Applies To: Windows 10, Windows Server 2016
Applies to: Windows 10, Windows Server 2016
This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
@ -66,21 +66,23 @@ The following sections and tables list the smart card-related Group Policy setti
## Primary Group Policy settings for smart cards
The following smart card Group Policy settings are located in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
The registry keys are in the following locations:
- HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
> **Note**&nbsp;&nbsp;Smart card reader registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers.<br>Smart card registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards.
> [!NOTE]
> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.<br>
Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic.
The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article.
| **Server Type or GPO** | **Default Value** |
| **Server type or GPO** | **Default value** |
|----------------------------------------------|-------------------|
| Default Domain Policy | Not configured |
| Default Domain Controller Policy | Not configured |
@ -91,13 +93,14 @@ The following table lists the default values for these GPO settings. Variations
### Allow certificates with no extended key usage certificate attribute
This policy setting allows certificates without an enhanced key usage (EKU) set to be used for sign in.
You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in.
> **Note**&nbsp;&nbsp;Enhanced key usage certificate attribute is also known as extended key usage.
> [!NOTE]
> Enhanced key usage certificate attribute is also known as extended key usage.
>
> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card:
When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
- Certificates with no EKU
@ -105,7 +108,7 @@ When this policy setting is enabled, certificates with the following attributes
- Certificates with a Client Authentication EKU
When this policy setting is disabled or not configured, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
@ -116,68 +119,87 @@ When this policy setting is disabled or not configured, only certificates that c
### Allow ECC certificates to be used for logon and authentication
This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. When this setting is enabled, ECC certificates on a smart card can be used to sign in to a domain. When this setting is disabled or not configured, ECC certificates on a smart card cannot be used to sign in to a domain.
You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
| **Item** | **Description** |
|--------------------------------------|-------------------------------|
| Registry key | EnumerateECCCerts |
| Registry key | **EnumerateECCCerts** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. <br>If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign-in when you are not connected to the network. |
| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting. <br>If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
### Allow Integrated Unblock screen to be displayed at the time of logon
This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available.
When this setting is turned on, the integrated unblock feature is available.
When this setting isn't turned on, the feature is not available.
| **Item** | **Description** |
|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
| Registry key | AllowIntegratedUnblock |
| Registry key | **AllowIntegratedUnblock** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.<br>You can create a custom message that is displayed when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.<br>You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
### Allow signature keys valid for Logon
This policy setting lets you allow signature key-based certificates to be enumerated and available for sign in. When this setting is enabled, any certificates available on the smart card with a signature-only key are listed on the sign-in screen. When this setting is disabled or not configured, certificates available on the smart card with a signature-only key are not listed on the sign-in screen.
You can use this policy setting to allow signature keybased certificates to be enumerated and available for sign in.
When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
| Registry key | AllowSignatureOnlyKeys |
| Registry key | **AllowSignatureOnlyKeys**|
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | |
### Allow time invalid certificates
This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in.
You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in.
Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
> [!NOTE]
> Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen.
When this setting is turned on, certificates are listed on the sign-in screen whether they have an invalid time, or their time validity has expired.
When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
| Registry key | AllowTimeInvalidCertificates |
| Registry key | **AllowTimeInvalidCertificates** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | |
### Allow user name hint
This policy setting lets you determine whether an optional field is displayed during sign-in and provides a subsequent elevation process that allows users to enter their user name or user name and domain, which associates a certificate with the user. If this setting is enabled, an optional field is displayed that allows users to enter their user name or user name and domain. If this setting is disabled or not configured, the field is not displayed.
You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
When this policy setting isn't turned on, users don't see this optional field.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
| Registry key | X509HintsNeeded |
| Registry key | **X509HintsNeeded**|
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | |
### Configure root certificate clean up
This policy setting allows you to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. When this setting is enabled, you can set the following cleanup options:
You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
When this policy setting is turned on, you can set the following cleanup options:
- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
@ -185,122 +207,168 @@ This policy setting allows you to manage the cleanup behavior of root certificat
- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
When this policy setting is disabled or not configured, root certificates are automatically removed when the user signs out of Windows.
When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
| Registry key | RootCertificateCleanupOption |
| Registry key | **RootCertificateCleanupOption**|
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | |
### Display string when smart card is blocked
When this policy setting is enabled, you can create and manage the displayed message that the user sees when a smart card is blocked. When this setting is disabled or not configured (and the integrated unblock feature is also enabled), the systems default message is displayed to the user when the smart card is blocked.
You can use this policy setting to change the default message that a user sees if their smart card is blocked.
When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the systems default message when the smart card is blocked.
| **Item** | **Description** |
|--------------------------------------|-------------------------|
| Registry key | IntegratedUnblockPromptString |
| Registry key | **IntegratedUnblockPromptString** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
| Notes and resources | |
### Filter duplicate logon certificates
This policy setting lets you use a filtering process to configure which valid sign-in certificates are displayed. During the certificate renewal period, a users smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
You can use this policy setting to configure which valid sign-in certificates are displayed.
Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (this is determined by their UPN). When this policy setting is enabled, filtering occurs so that the user will only see the most current valid certificates from which to select. If this setting is disabled or not configured, all the certificates are displayed to the user.
> [!NOTE]
> During the certificate renewal period, a users smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
>
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
If this policy setting isn't turned on, all the certificates are displayed to the user.
This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
| **Item** | **Description** |
|--------------------------------------|--------------------------------------------------------------------------------------------------|
| Registry key | FilterDuplicateCerts |
| Registry key | **FilterDuplicateCerts**|
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
### Force the reading of all certificates from the smart card
This policy setting allows you to manage how Windows reads all certificates from the smart card for sign-in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
When this policy setting is enabled, Windows attempts to read all certificates from the smart card regardless of the CSP feature set. When disabled or not configured, Windows attempts to read only the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for sign in.
When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set.
When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in.
| **Item** | **Description** |
|--------------------------------------|----------------------------------------------------------------------------|
| Registry key | ForceReadingAllCertificates |
| Registry key | **ForceReadingAllCertificates** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**&nbsp;&nbsp;Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
This policy setting allows you to control whether a confirmation message is displayed to the user when a smart card device driver is installed. When this policy setting is enabled, a confirmation message is displayed when a smart card device driver is installed. When this setting is disabled or not configured, a smart card device driver installation message is not displayed.
You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
| **Item** | **Description** |
|--------------------------------------|------------------------------------------------|
| Registry key | ScPnPNotification |
| Registry key | **ScPnPNotification** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
### Prevent plaintext PINs from being returned by Credential Manager
This policy setting prevents Credential Manager from returning plaintext PINs. Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the users profile. When this policy setting is enabled, Credential Manager does not return a plaintext PIN. When this setting is disabled or not configured, plaintext PINs can be returned by Credential Manager.
You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
> [!NOTE]
> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the users profile.
When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
When this setting isn't turned on, Credential Manager can return plaintext PINs.
| **Item** | **Description** |
|--------------------------------------|-----------------------------------------------------------------------------------|
| Registry key | DisallowPlaintextPin |
| Registry key | **DisallowPlaintextPin**|
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | If this policy setting is enabled, some smart cards may not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
### Reverse the subject name stored in a certificate when displaying
When this policy setting is enabled, it causes the display of the subject name to be reversed from the way it is stored in the certificate during the sign-in process.
You can use this policy setting to control the way the subject name appears during sign in.
> [!NOTE]
> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate.
When this policy setting isnt turned on, the subject name appears the same as its stored in the certificate.
To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
| Registry key | ReverseSubject |
| Registry key | **ReverseSubject** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | |
### Turn on certificate propagation from smart card
This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
If you enable or do not configure this policy setting, certificate propagation occurs when the user inserts the smart card. When this setting is disabled, certificate propagation does not occur and the certificates will not be made available to applications such as Outlook.
When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
| **Item** | **Description** |
|--------------------------------------|----------------|
| Registry key | CertPropEnabled |
| Registry key | **CertPropEnabled**|
| Default values | No changes per operating system versions<br>Enabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
| Notes and resources | |
### Turn on root certificate propagation from smart card
This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. When this policy setting is enabled or not configured, root certificate propagation occurs when the user inserts the smart card.
You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
When this policy setting isnt turned on, root certificate propagation doesnt occur when the user inserts the smart card.
| **Item** | **Description** |
|--------------------------------------|---------------------------------------------------------------------------------------------------------|
| Registry key | EnableRootCertificate Propagation |
| Registry key | **EnableRootCertificate Propagation** |
| Default values | No changes per operating system versions<br>Enabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
| Notes and resources | |
### Turn on Smart Card Plug and Play service
This policy setting allows you to control whether Smart Card Plug and Play is enabled. This means that your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with any of the supported versions of Windows is used for these cards.
You can use this policy setting to control whether Smart Card Plug and Play is enabled.
When the Smart Card Plug and Play policy setting is enabled or not configured, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. If this policy setting is disabled a device driver is not installed when a smart card is inserted in a smart card reader.
> [!NOTE]
> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards.
When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
| **Item** | **Description** |
|--------------------------------------|------------------------------------------------|
| Registry key | EnableScPnP |
| Registry key | **EnableScPnP** |
| Default values | No changes per operating system versions<br>Enabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
@ -309,9 +377,9 @@ When the Smart Card Plug and Play policy setting is enabled or not configured, a
The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
The registry keys for the Base CSP are located in the registry in HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider.
The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider.
The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
**Registry keys for the base CSP and smart card KSP**
@ -320,7 +388,7 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY
| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.<br>Default value: 00000400<br>Default key generation parameter: 1024-bit keys |
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.<br>Default value: 000005dc1500<br>The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**
@ -332,14 +400,14 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY
## CRL checking registry keys
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client.
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
**CRL checking registry keys**
| **Registry Key** | **Details** |
|------------|-----------------------------|
| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD<br>Value = 1 |
| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD<br>Value = 1 |
| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD<br>Value = 1 |
| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD<br>Value = 1 |
## Additional smart card Group Policy settings and registry keys
@ -349,40 +417,41 @@ In a smart card deployment, additional Group Policy settings can be used to enha
- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
The following smart card-related Group Policy settings are located in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
**Local security policy settings**
| Group Policy Setting and Registry Key | Default | Description |
| Group Policy setting and registry key | Default | Description |
|------------------------------------------|------------|---------------|
| Interactive logon: Require smart card<br><br>scforceoption | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled** Users can only sign in to the computer by using a smart card.<br>**Disabled** Users can sign in to the computer by using any method. |
| Interactive logon: Smart card removal behavior<br><br>scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**&nbsp;&nbsp;Remote Desktop Services was called Terminal Services in previous versions of Windows Server. |
| Interactive logon: Require smart card<br><br>**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled** Users can sign in to the computer only by using a smart card.<br>**Disabled** Users can sign in to the computer by using any method. |
| Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
The following smart card-related Group Policy settings are located in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults.
Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
> **Note**&nbsp;&nbsp;In the following table, fresh credentials are those that you are prompted for when running an application.
> [!NOTE]
> In the following table, fresh credentials are those that you are prompted for when running an application.
**Credential delegation policy settings**
| Group Policy Setting and Registry Key | Default | Description |
| Group Policy setting and registry key | Default | Description |
|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Allow Delegating Fresh Credentials**<br><br>AllowFreshCredentials | Not Configured | This policy setting applies: <br>When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.<br>To applications that use the CredSSP component (for example, Remote Desktop Services).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. <br>**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.<br>**Disabled**: Delegation of fresh credentials to any computer is not permitted.<br><br>**Note**&nbsp;&nbsp;This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:<br>Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. <br>Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.<br>Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**<br><br>AllowFreshCredentialsWhenNTLMOnly | Not Configured | This policy setting applies:<br>When server authentication was achieved by using NTLM.<br>To applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.<br>**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).<br>**Disabled**: Delegation of fresh credentials is not permitted to any computer.<br><br>**Note**&nbsp;&nbsp;This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
| **Deny Delegating Fresh Credentials**<br><br>DenyFreshCredentials | Not Configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated.<br>**Disabled** or **Not Configured**: A server is not specified.<br><br>**Note**&nbsp;&nbsp;This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
| Allow Delegating Fresh Credentials<br><br>**AllowFreshCredentials** | Not configured | This policy setting applies: <br>When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.<br>To applications that use the CredSSP component (for example, Remote Desktop Services).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. <br>**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.<br>**Disabled**: Delegation of fresh credentials to any computer isn't permitted.<br><br>**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:<br>Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. <br>Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.<br>Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
| Allow Delegating Fresh Credentials with NTLM-only Server Authentication<br><br>**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:<br>When server authentication was achieved by using NTLM.<br>To applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.<br>**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).<br>**Disabled**: Delegation of fresh credentials isn't permitted to any computer.<br><br>**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
| Deny Delegating Fresh Credentials<br><br>**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.<br>**Disabled** or **Not configured**: A server is not specified.<br><br>**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>For examples, see the "Allow delegating fresh credentials" policy setting. |
If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored.
If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
| **Registry key** | **Corresponding Group Policy setting** |
|-------------------------------------|---------------------------------------------------------------------------|
| AllowDefaultCredentials | Allow Delegating Default Credentials |
| AllowDefaultCredentialsWhenNTLMOnly | Allow Delegating Default Credentials with NTLM-only Server Authentication |
| AllowSavedCredentials | Allow Delegating Saved Credentials |
| AllowSavedCredentialsWhenNTLMOnly | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
## See also

14
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -53,7 +53,7 @@ This table provides info about the most common problems you might encounter whil
</tr>
<tr>
<td>WIP is designed for use by a single user per device.</td>
<td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.</td>
<td>A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.</td>
<td>We recommend only having one user per managed device.</td>
</tr>
<tr>
@ -121,17 +121,25 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>Only enlightened apps can be managed without device enrollment
</td>
<td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintenionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
<td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
<td>If all apps need to be managed, enroll the device for MDM.
</td>
</tr>
<tr>
<td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can&#39;t access it.<br/> </td>
<td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can&#39;t access it.<br/> </td>
<td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
</td>
<td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
</td>
</tr>
<tr>
<td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.
</td>
<td>If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
</td>
<td>It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
</td>
</tr>
</table>
> [!NOTE]

12
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -172,17 +172,7 @@ You can try any of the processes included in these scenarios, but you should foc
</ul>
</td>
</tr>
<tr>
<td>Stop Google Drive from syncing WIP protected files and folders.</td>
<td>
<ul>
<li>In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.</li>
<li>Google Drive details</li>
Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US
File=GOOGLEDRIVESYNC.EXE
</ul>
</td>
</tr>
</table>
>[!NOTE]

621
windows/security/threat-protection/TOC.md
View File

@ -6,105 +6,345 @@
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
## [Deployment strategy](microsoft-defender-atp/deployment-strategy.md)
## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
## [Deployment guide]()
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
### [Phase 2: Setup](microsoft-defender-atp/production-deployment.md)
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
## [Security administration]()
### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
### [Configuration score](microsoft-defender-atp/configuration-score.md)
### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
#### [Attack surface reduction controls]()
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application isolation]()
###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
##### [Device Guard]()
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
#### [Exploit protection]()
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
##### [Web threat protection]()
###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
#### [Controlled folder access]()
##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
#### [Network firewall]()
##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
### [Next-generation protection]()
#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
#### [Configure next-generation protection]()
##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection]()
###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection]()
####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business]()
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation]()
###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next-generation protection in your business]()
###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
#### [Deploy]()
##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
#### [Update](microsoft-defender-atp/mac-updates.md)
#### [Configure]()
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
#### [Privacy](microsoft-defender-atp/mac-privacy.md)
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
#### [Deploy]()
##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
#### [Update](microsoft-defender-atp/linux-updates.md)
#### [Configure]()
##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
## [Security operations]()
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
### [Incidents queue]()
#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
#### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
### [Alerts queue]()
#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
#### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
#### [Investigate files](microsoft-defender-atp/investigate-files.md)
#### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
#### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
#### [Incidents queue]()
##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
#### [Alerts queue]()
##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
##### [Investigate files](microsoft-defender-atp/investigate-files.md)
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
### [Machines list]()
#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
### [Take response actions]()
#### [Take response actions on a machine]()
##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
#### [Take response actions on a file]()
##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Investigate entities using Live response]()
##### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Investigate entities using Live response]()
#### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Custom detections]()
##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
### [Automated investigation and response]()
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Advanced hunting schema reference]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
@ -127,17 +367,13 @@
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Reporting]()
#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
### [Custom detections]()
#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
@ -173,170 +409,6 @@
#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
### [Manage capabilities]()
#### [Configure attack surface reduction]()
##### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [Application isolation]()
###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Device control]()
###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
###### [Device Guard]()
####### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
####### [Memory integrity]()
######## [Understand memory integrity](device-guard/memory-integrity.md)
######## [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
######## [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection]()
###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
##### [Network protection](microsoft-defender-atp/enable-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
##### [Attack surface reduction controls]()
###### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
###### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
#### [Configure next-generation protection]()
##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection]()
###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection]()
####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business]()
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation]()
###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next-generation protection in your business]()
###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
##### [What's New](microsoft-defender-atp/mac-whatsnew.md)
##### [Deploy]()
###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
##### [Update](microsoft-defender-atp/mac-updates.md)
##### [Configure]()
###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
###### [Set preferences](microsoft-defender-atp/mac-preferences.md)
###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Troubleshoot]()
###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
##### [Privacy](microsoft-defender-atp/mac-privacy.md)
##### [Resources](microsoft-defender-atp/mac-resources.md)
#### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
##### [Deploy]()
###### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
###### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
##### [Update](microsoft-defender-atp/linux-updates.md)
##### [Configure]()
###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
###### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Resources](microsoft-defender-atp/linux-resources.md)
#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Configure portal settings]()
#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
@ -374,54 +446,7 @@
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
## Reference
### [Capabilities]()
#### [Threat & Vulnerability Management]()
##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Attack surface reduction]()
##### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
##### [Hardware-based isolation]()
###### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation]()
####### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
##### [Network protection](microsoft-defender-atp/network-protection.md)
##### [Web protection]()
###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
###### [Web threat protection]()
####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
#######[Respond to web threats](microsoft-defender-atp/web-protection-response.md)
###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
##### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
##### [Shadow protection](windows-defender-antivirus/shadow-protection.md)
#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
@ -459,9 +484,10 @@
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@ -523,6 +549,7 @@
####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md)
###### [Vulnerability]()
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
@ -590,28 +617,9 @@
### [Information protection in Windows overview]()
#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md)
### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
@ -695,6 +703,9 @@
#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
#### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)

37
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -23,25 +23,26 @@ ms.date: 07/25/2018
- Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
**To apply or modify auditing policy settings for a local file or folder**
1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
2. Click **Advanced**.
3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
2. Select **Advanced**.
3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
4. Do one of the following:
- To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**.
- To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure.
- To view or change auditing for an existing group or user, click its name, and then click **Edit.**
- To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
- To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
- To view or change auditing for an existing group or user, select its name, and then select **Edit.**
5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
- To audit successful events, click **Success.**
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
- To audit successful events, select **Success.**
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These include:
- **This folder only**
- **This folder, subfolders and files**
@ -55,16 +56,18 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- **Read and execute**
- **List folder contents**
- **Read**
- Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
- Additionally, with your selected audit combination, you can select any combination of the following permissions:
- **Full control**
- **Modify**
- **Write**
> **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
 
## Additional considerations
- After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
 
 

52
windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
View File

@ -22,38 +22,39 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
This security audit policy and the event that it records are generated when the central access policy that's associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
**To configure settings to monitor central access policies associated with files or folders**
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
2. In Server Manager, point to **Tools**, and then select **Group Policy Management**.
3. In the console tree, right-click the flexible access Group Policy Object, and then select **Edit**.
4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
6. Enable auditing for a file or folder as described in the following procedure.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
6. Turn on auditing for a file or folder as described in the following procedure.
**To enable auditing for a file or folder**
**To turn on auditing for a file or folder**
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
2. Right-click the file or folder, click **Properties**, and then click the **Security** tab.
3. Click **Advanced**, click the **Auditing** tab, and then click **Continue**.
1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
2. Right-click the file or folder, select **Properties**, and then select the **Security** tab.
3. Select **Advanced**, select the **Auditing** tab, and then select **Continue**.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
4. Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**.
4. Select **Add**, select **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then select **OK**.
5. In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**.
6. Click **OK** four times to complete the configuration of the object SACL.
7. Open a File Explorer window and select or create a file or folder to audit.
8. Open an elevated command prompt, and run the following command:
6. To complete the configuration of the object SACL, select **OK** four times.
7. Open a File Explorer window, and then select or create a file or folder to audit.
8. Open an elevated command prompt, and then run the following command:
`gpupdate /force`
@ -61,15 +62,16 @@ After you configure settings to monitor changes to the central access policies t
**To verify that changes to central access policies associated with files and folders are monitored**
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure.
3. Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**.
4. Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice.
>**Note:**  You must select a setting that is different than your original setting to generate the audit event.
1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
2. Open a File Explorer window, and then select the file or folder that you configured for auditing in the previous procedure.
3. Right-click the file or folder, select **Properties**, select the **Security** tab, and then select **Advanced**.
4. Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice.
> [!NOTE]
> You must select a setting that is different than your original setting to generate the audit event.
5. In Server Manager, click **Tools**, and then click **Event Viewer**.
6. Expand **Windows Logs**, and then click **Security**.
7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
5. In Server Manager, select **Tools**, and then select **Event Viewer**.
6. Expand **Windows Logs**, and then select **Security**.
7. Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies.
### Related resource

4
windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
View File

@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |

24
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -30,13 +30,19 @@ Windows Defender Antivirus is the [next generation protection](https://www.youtu
**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
### AV-TEST: Protection score of 6.0/6.0 in the latest test
### AV-TEST: Protection score of 5.5/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) <sup>**Latest**</sup>
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 13,889 malware samples used. This industry-leading antivirus solution has consistently achieved a perfect Protection score in all AV-TEST cycles in the past 14 months.
Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used.
- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/)
- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/)
- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
@ -52,9 +58,11 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.
- Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) <sup>**Latest**</sup>
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.9% in the latest test.
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test.
- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
@ -66,9 +74,11 @@ Business Security Test consists of three main parts: the Real-World Protection T
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) <sup>**pdf**</sup>
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat.
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats.
- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)

2
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -118,7 +118,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create a workspace** or use your primary workspace.
2. Click **Create your instance**.
3. Toggle the Integration setting to **On** and click **Save**.

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Advanced hunting query best practices

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceFileEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceImageLoadEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceInfo

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceLogonEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceNetworkEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceNetworkInfo

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceProcessEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceRegistryEvents

32
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -1,7 +1,7 @@
---
title: Overview of advanced hunting
title: Overview of advanced hunting in Microsoft Defender ATP
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Proactively hunt for threats with advanced hunting
@ -39,38 +38,19 @@ You can also go through each of the following steps to ramp up your advanced hun
| Learning goal | Description | Resource |
|--|--|--|
| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
## Get help as you write queries
Take advantage of the following functionality to write queries faster:
- **Autosuggest** — as you write queries, advanced hunting provides suggestions.
- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense.
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
## Drilldown from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center.
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
- Explicitly look for the selected value (`==`)
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png)
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)

91
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Learn the advanced hunting query language
@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
```kusto
// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
// Finds PowerShell execution events that could involve a download
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
// Suspicious commands
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp
```
This is how it will look like in advanced hunting.
![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png)
### Describe the query and specify the table to search
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
### Describe the query and specify the tables to search
A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization.
```kusto
// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
// Finds PowerShell execution events that could involve a download
```
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed.
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
```kusto
union DeviceProcessEvents, DeviceNetworkEvents
```
### Set the time range
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
```kusto
| where Timestamp > ago(7d)
```
### Search for specific executable files
The time range is immediately followed by a search for files representing the PowerShell application.
```kusto
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
### Check specific processes
The time range is immediately followed by a search for process file names representing the PowerShell application.
```
### Search for specific command lines
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
```kusto
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
```
### Select result columns and length
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
### Search for specific command strings
Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
```kusto
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
// Suspicious commands
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
```
### Customize result columns and length
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
```kusto
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp
```
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results.
![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
>[!TIP]
>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
## Learn common query operators for advanced hunting
@ -137,6 +159,7 @@ For detailed information about the query language, see [Kusto query language doc
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)

142
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md Normal file
View File

@ -0,0 +1,142 @@
---
title: Work with advanced hunting query results in Microsoft Defender ATP
description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Work with advanced hunting query results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
- View results as a table or chart
- Export tables and charts
- Drill down to detailed entity information
- Tweak your queries directly from the results or apply filters
## View query results as a table or chart
By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
| View type | Description |
| -- | -- |
| **Table** | Displays the query results in tabular format |
| **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
| **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
| **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
| **Scatter chart** | Plots numeric values for a series of unique items |
| **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
### Construct queries for effective charts
When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
#### Alerts by severity
Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
```kusto
DeviceAlertEvents
| summarize Total = count() by Severity
```
When rendering the results, a column chart displays each severity value as a separate column:
![Image of advanced hunting query results displayed as a column chart](images/advanced-hunting-column-chart.jpg)
*Query results for alerts by severity displayed as a column chart*
#### Alert severity by operating system
You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS).
The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
```kusto
DeviceAlertEvents
| join DeviceInfo on DeviceId
| summarize Count = count() by OSPlatform, Severity
```
These results are best visualized using a stacked column chart:
![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg)
*Query results for alerts by OS and severity displayed as a stacked chart*
#### Top ten machine groups with alerts
If you're dealing with a list of values that isnt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten machine groups with the most alerts, use the query below:
```kusto
DeviceAlertEvents
| join DeviceInfo on DeviceId
| summarize Count = count() by MachineGroup
| top 10 by Count
```
Use the pie chart view to effectively show distribution across the top groups:
![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg)
*Pie chart showing distribution of alerts across machine groups*
#### Malware detections over time
Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
```kusto
DeviceEvents
| where ActionType == "AntivirusDetection"
| where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
| summarize Detections = count() by bin(Timestamp, 30m)
```
The line chart below clearly highlights time periods with more detections of the test malware:
![Image of advanced hunting query results displayed as a line chart](images/advanced-hunting-line-chart.jpg)
*Line chart showing the number of detections of a test malware over time*
## Export tables and charts
After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
- **Table view** — the query results are exported in tabular form as a Microsoft Excel workbook
- **Any chart** — the query results are exported as a JPEG image of the rendered chart
## Drill down from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
- Explicitly look for the selected value (`==`)
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
![Image of advanced hunting filter](images/advanced-hunting-filter.png)
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -55,4 +55,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Use shared queries in advanced hunting

13
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
ms.date: 03/27/2020
---
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
@ -27,6 +27,9 @@ ms.date: 04/24/2018
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
>[!NOTE]
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
@ -45,10 +48,10 @@ You can apply the following filters to limit the list of alerts and get a more f
Alert severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
#### Understanding alert severity
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.

130
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md Normal file
View File

@ -0,0 +1,130 @@
---
title: Attack surface reduction frequently asked questions (FAQ)
description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: martyav
ms.author: v-maave
ms.reviewer:
manager: dansimp
ms.custom: asr
---
# Attack surface reduction frequently asked questions (FAQ)
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Is attack surface reduction (ASR) part of Windows?**
ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions.
**Do I need to have an enterprise license to run ASR rules?**
The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available.
**Is ASR supported if I have an E3 license?**
Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details.
**Which features are supported with an E5 license?**
All of the rules supported with E3 are also supported with E5.
E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
**What are the the currently supported ASR rules??**
ASR currently supports all of the rules below:
* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail)
* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content)
* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)<!-- Note: Because the following link contains characters the validator is not expecting, it throws a warning that the bookmark does not exist. This is a false positive; the link correctly targets the heading, Block credential stealing from the Windows local security authority subsystem (lsass.exe), when selected -->
* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
**What are some good recommendations for getting started with ASR?**
It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
**How long should I test an ASR rule in audit mode before enabling it?**
You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?**
Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities.
From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
**Does ASR support file or folder exclusions that include system variables and wildcards in the path?**
Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
**Do ASR rules cover all applications by default?**
It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
**Does ASR support third-party security solutions?**
ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?**
Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.**
Try opening the indexing options directly from Windows 10.
1. Select the **Search** icon on the Windows taskbar.
1. Enter **Indexing options** into the search box.
**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?**
No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?**
This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?**
A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?**
Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
## Related topics
* [Attack surface reduction overview](attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)

1
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
View File

@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 10/15/2018
ms.reviewer:
manager: dansimp
ms.custom: asr

130
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -1,7 +1,7 @@
---
title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -26,27 +26,33 @@ ms.custom: asr
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events.
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
* Launching executable files and scripts that attempt to download or run files
* Running obfuscated or otherwise suspicious scripts
* Performing behaviors that apps don't usually initiate during normal day-to-day work
* Executable files and scripts used in Office apps or web mail that attempt to download or run files
* Obfuscated or otherwise suspicious scripts
* Behaviors that apps don't usually initiate during normal day-to-day work
These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center.
Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
## Attack surface reduction features across Windows versions
You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
Here is an example query:
@ -57,19 +63,19 @@ DeviceEvents
## Review attack surface reduction events in Windows Event Viewer
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
You can review the Windows event log to view events generated by attack surface reduction rules:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
3. Click **Import custom view...** on the left panel, under **Actions**.
3. Under **Actions**, select **Import custom view...**.
4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
5. Select **OK**.
This will create a custom view that filters to only show the following events related to controlled folder access:
This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
Event ID | Description
-|-
@ -77,35 +83,33 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
Rule name | GUID | File & folder exclusions
-----------|------|--------------------------
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
-|-|-
[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
### Block executable content from email client and webmail
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
@ -122,7 +126,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
@ -148,7 +152,11 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
### Block Office applications from injecting code into other processes
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
This rule blocks code injection attempts from Office apps into other processes.
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
@ -162,9 +170,9 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
Although not common, line-of-business applications sometimes use scripts to download and launch installers.
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
@ -179,7 +187,9 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
### Block execution of potentially obfuscated scripts
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
@ -191,7 +201,9 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
### Block Win32 API calls from Office macros
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
This rule prevents VBA macros from calling Win32 APIs.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
@ -203,10 +215,12 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
* Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious.
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
@ -225,7 +239,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
### Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
@ -238,9 +252,11 @@ Configuration Manager name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
### Block credential stealing from the Windows local security authority subsystem
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@ -255,10 +271,7 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
### Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
> [!IMPORTANT]
> File and folder exclusions do not apply to this attack surface reduction rule.
This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
> [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
@ -288,7 +301,9 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
### Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions.
This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
@ -303,7 +318,9 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
### Block Adobe Reader from creating child processes
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
This rule prevents attacks by blocking Adobe Reader from creating additional processes.
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
@ -315,7 +332,9 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Block persistence through WMI event subscription
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in: Windows 10 1903, Windows Server 1903
@ -327,6 +346,7 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
## Related topics
* [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)

38
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -25,7 +25,7 @@ ms.topic: conceptual
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score.
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:
- Application
- Operating system
@ -33,7 +33,7 @@ Your Configuration score is visible in the [Threat & Vulnerability Management da
- Accounts
- Security controls
A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks.
Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
## How it works
@ -43,20 +43,31 @@ A higher configuration score means your endpoints are more resilient from cybers
The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
- Collect and monitor changes of security control configuration state from all assets
From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
## Improve your security configuration
## Improve your configuration score
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** — **Configuration change** or **Software update**
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
![Security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
4. **Submit request**. You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
5. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
@ -71,17 +82,14 @@ See how you can [improve your security configuration](https://docs.microsoft.com
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)

17
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -38,8 +38,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration:
- Registry based configuration
@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
## Enable access to Microsoft Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.<br>
@ -120,6 +121,16 @@ United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.bl
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
### Log analytics agent requirements
The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
|------|---------|--------|--------|
|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.blob.core.windows.net |Port 443 |Outbound|Yes |
## Microsoft Defender ATP service backend IP range
If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information.

16
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -25,7 +25,7 @@ ms.topic: article
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
- Windows Server, 2019 and later
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@ -38,7 +38,7 @@ The service supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server 2019
- Windows Server 2019 and later
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
@ -113,7 +113,7 @@ The following steps are required to enable this integration:
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
Once completed, you should see onboarded servers in the portal within an hour.
@ -153,11 +153,13 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh
b. Run the following PowerShell command to verify that the passive mode was configured:
```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
```PowerShell
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
```
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
3. Run the following command to check if Windows Defender AV is installed:
@ -172,8 +174,8 @@ Microsoft Defender ATP integrates with Azure Security Center to provide a compre
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach

2
windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
View File

@ -78,7 +78,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec
<td>URL to authenticate the azure app (Default : https://login.microsoftonline.com)</td>
</tr>
<td>Endpoint</td>
<td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>: <code>https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts</code>
<td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>: <code>https://wdatp-alertexporter-eu.securitycenter.windows.com</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com</code>
</tr>
<tr>
<td>Tenant ID</td>

14
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -63,14 +63,14 @@ With the query in the query editor, select **Create detection rule** and specify
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
#### Rule frequency
When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
- **Every 24 hours** — checks data from the past 30 days
- **Every 12 hours** — checks data from the past 24 hours
- **Every 3 hours** — checks data from the past 6 hours
- **Every hour** — checks data from the past 2 hours
- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
- **Every hour** — runs hourly, checking data from the past 2 hours
Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
### 3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
@ -88,7 +88,7 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
### 4. Click **Create** to save and turn on the rule.
When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches, generate alerts, and take response actions.
After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
## Manage existing custom detection rules
In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.

13
windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
View File

@ -1,5 +1,5 @@
---
title: Configure how attack surface reduction rules work to finetune protection in your network
title: Configure how attack surface reduction rules work to fine-tune protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
@ -26,11 +26,11 @@ manager: dansimp
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
@ -39,12 +39,12 @@ You can exclude files and folders from being evaluated by attack surface reducti
> [!WARNING]
> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
Rule description | GUID
-|-|-
@ -103,3 +103,4 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
* [Attack surface reduction FAQ](attack-surface-reduction.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx
View File

Binary file not shown.

9
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -1,6 +1,6 @@
---
title: Enable ASR rules individually to protect your organization
description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -19,7 +19,7 @@ manager: dansimp
# Enable attack surface reduction rules
[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
Each ASR rule contains three settings:
@ -54,7 +54,7 @@ You can exclude files and folders from being evaluated by most attack surface re
> * Block process creations originating from PSExec and WMI commands
> * Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@ -62,7 +62,7 @@ The following procedures for enabling ASR rules include instructions for how to
## Intune
1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
@ -186,4 +186,5 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
* [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)

10
windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
View File

@ -23,9 +23,9 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -36,16 +36,15 @@ You can enable attack surface reduction rules in audit mode. This lets you see a
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
To enable audit mode, use the following PowerShell cmdlet:
To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
This enables all attack surface reduction rules in audit mode.
> [!TIP]
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
## Review attack surface reduction events in Windows Event Viewer
@ -68,3 +67,4 @@ See the [Customize attack surface reduction rules](customize-attack-surface-redu
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
* [Attack surface reduction FAQ](attack-surface-reduction.md)

3
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -23,8 +23,7 @@ ms.topic: article
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.

86
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Get missing KBs by machine ID
description: Retrieves missing KBs by machine Id
keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get missing KBs by machine ID
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs by machine Id
## HTTP request
```
GET /api/machines/{machineId}/getmissingkbs
```
## Request header
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
## Example
### Request
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
```
### Response
Here is an example of the response.
```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
"value": [
{
"id": "4540673",
"name": "March 2020 Security Updates",
"productsNames": [
"windows_10",
"edge",
"internet_explorer"
],
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
"machineMissedOn": 1,
"cveAddressed": 97
},
...
]
}
```
## Related topics
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)

93
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md Normal file
View File

@ -0,0 +1,93 @@
---
title: Get missing KBs by software ID
description: Retrieves missing KBs by software ID
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get missing KBs by software ID
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs by software ID
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---
Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
## HTTP request
```
GET /api/Software/{Id}/getmissingkbs
```
## Request header
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the specified software missing kb data in the body.
## Example
### Request
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs
```
### Response
Here is an example of the response.
```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
"value": [
{
"id": "4540673",
"name": "March 2020 Security Updates",
"productsNames": [
"edge"
],
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
"machineMissedOn": 240,
"cveAddressed": 14
},
...
]
}
```
## Related topics
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png → windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-filter.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 179 KiB

After

Width:  |  Height:  |  Size: 179 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG → windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-results-filter.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 305 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 370 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

3
windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
View File

@ -30,6 +30,9 @@ When you investigate an incident, you'll see:
- Incident comments and actions
- Tabs (alerts, machines, investigations, evidence, graph)
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).

123
windows/security/threat-protection/microsoft-defender-atp/licensing.md
View File

@ -1,123 +0,0 @@
---
title: Validate licensing provisioning and complete Microsoft Defender ATP set up
description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal.
keywords: license, licensing, account, set up, validating licensing, windows defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Validate licensing provisioning and complete set up for Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
## Check license state
Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
![Image of billing licenses](images/atp-billing-subscriptions.png)
## Cloud Service Provider validation
To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
1. From the **Partner portal**, click on the **Administer services > Office 365**.
2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
## Access Microsoft Defender Security Center for the first time
When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
Once the authorization step is completed, the **Welcome** screen will be displayed.
2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
![Image of Welcome screen for portal set up](images/welcome1.png)
You will need to set up your preferences for Microsoft Defender Security Center.
3. Set up preferences
![Image of geographic location in set up](images/setup-preferences.png)
1. **Select data storage location** <br> When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process.
2. **Select the data retention policy** <br> Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
> [!NOTE]
> This option can be changed at a later time.
3. **Select the size of your organization** <br> You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
> [!NOTE]
> The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
4. **Turn on preview features** <br> Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
- Toggle the setting between On and Off to choose **Preview features**.
> [!NOTE]
> This option can be changed at a later time.
4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
> [!NOTE]
> Some of these options can be changed at a later time in Microsoft Defender Security Center.
![Image of final preference set up](images/setup-preferences2.png)
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints.md)
- Run detection test (optional)
![Image of Onboard machines and run detection test](images/atp-onboard-endpoints-run-detection-test.png)
> [!IMPORTANT]
> If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
> ![Image of setup imcomplete](images/atp-setup-incomplete.png)
7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
## Related topics
- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)

118
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md Normal file
View File

@ -0,0 +1,118 @@
---
title: Configure and validate exclusions for Microsoft Defender ATP for Linux
description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure and validate exclusions for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
> [!IMPORTANT]
> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
> [!WARNING]
> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
Folder | All files under the specified folder | `/var/log/`<br/>`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`
File, folder, and process exclusions support the following wildcards:
Wildcard | Description | Example | Matches
---|---|---|---
\* | Matches any number of any characters including none | `/var/\*/\*.log` | `/var/log/system.log`
? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log`
## How to configure the list of exclusions
### From the management console
For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
### From the command line
Run the following command to see the available switches for managing exclusions:
```bash
$ mdatp --exclusion
```
Examples:
- Add an exclusion for a file extension:
```bash
$ mdatp --exclusion --add-extension .txt
Configuration updated successfully
```
- Add an exclusion for a file:
```bash
$ mdatp --exclusion --add-folder /var/log/dummy.log
Configuration updated successfully
```
- Add an exclusion for a folder:
```bash
$ mdatp --exclusion --add-folder /var/log/
Configuration updated successfully
```
- Add an exclusion for a process:
```bash
$ mdatp --exclusion --add-process cat
Configuration updated successfully
```
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.

2
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -256,7 +256,7 @@ Download the onboarding package from Microsoft Defender Security Center:
- Open a Terminal window. Copy and execute the following command:
``` bash
curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
```
- The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:

67
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux with Ansible
ms.reviewer:
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -36,14 +36,14 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
- Ansible needs to be installed on at least on one computer (we will call it the master).
- Passwordless SSH must be configured for the root user between the master and all clients.
- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- Python-apt
- Curl
- Unzip
- curl
- python-apt
- unzip
- All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
```bash
[servers]
host1 ansible_ssh_host=10.171.134.39
@ -67,7 +67,7 @@ Download the onboarding package from Microsoft Defender Security Center:
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
@ -79,12 +79,11 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory.
Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
- Copy the onboarding package to all client machines:
```bash
$ cat /etc/ansible/roles/copy_onboarding_pkg.yml
- name: Copy the zip file
copy:
src: /root/WindowsDefenderATPOnboardingPackage.zip
@ -92,29 +91,33 @@ Create subtask or role files that contribute to an actual task. Create the follo
owner: root
group: root
mode: '0644'
- name: Add Microsoft apt signing key
apt_key:
url: https://packages.microsoft.com/keys/microsoft.asc
state: present
when: ansible_os_family == "Debian"
```
- Create a `setup.sh` script that operates on the onboarding file:
- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
```bash
$ cat /root/setup.sh
#!/bin/bash
# We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
cd /root || exit 1
# Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
# get the GPG key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
```
- Create the onboarding file:
- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
```bash
$ cat setup_blob.yml
- name: Register mdatp_onboard.json
stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
register: mdatp_onboard
- name: Copy the setup script file
copy:
src: /root/setup.sh
@ -124,7 +127,8 @@ Create subtask or role files that contribute to an actual task. Create the follo
mode: '0744'
- name: Run a script to create the onboarding file
script: /root/setup.sh
script: /root/setup.sh
when: not mdatp_onboard.stat.exists
```
- Add the Microsoft Defender ATP repository and key.
@ -142,28 +146,22 @@ Create subtask or role files that contribute to an actual task. Create the follo
> [!NOTE]
> In case of Oracle Linux, replace *[distro]* with “rhel”.
- For apt-based distributions use the following YAML file:
```bash
$ cat add_apt_repo.yml
- name: Add Microsoft repository for MDATP
- name: Add Microsoft apt repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
update_cache: yes
state: present
filename: microsoft-[channel].list
when: ansible_os_family == "Debian"
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
```
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
when: ansible_os_family == "Debian"
- For yum-based distributions use the following YAML file:
```bash
$ cat add_yum_repo.yml
- name: Add Microsoft repository for MDATP
- name: Add Microsoft yum repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
description: Microsoft Defender ATP
@ -171,6 +169,7 @@ Create subtask or role files that contribute to an actual task. Create the follo
baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes
enabled: Yes
when: ansible_os_family == "RedHat"
```
- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.

10
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configuring Microsoft Defender ATP for static proxy discovery
# Configure Microsoft Defender ATP for Linux for static proxy discovery
**Applies to:**
@ -33,7 +33,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
```bash
HTTPS_PROXY=http://proxy.server:port/
HTTPS_PROXY="http://proxy.server:port/"
```
- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
$ HTTPS_PROXY=http://proxy.server:port/" apt install mdatp
$ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@ -62,12 +62,12 @@ Note that installation and uninstallation will not necessarily fail if a proxy i
After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port` and specify your static proxy address.
- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
```bash
HTTPS_PROXY=http://proxy.server:port/
HTTPS_PROXY="http://proxy.server:port/"
```
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:

91
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
ms.reviewer:
description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Run the connectivity test
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
$ mdatp --connectivity-test
```
If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
## Troubleshooting steps for environments without proxy or with transparent proxy
To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
```bash
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to:
```
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
## Troubleshooting steps for environments with static proxy
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception.
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
```bash
#Environment="HTTPS_PROXY=http://address:port"
```
Also ensure that the correct static proxy address is filled in to replace `address:port`.
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
$ mdatp --connectivity-test
```
If the problem persists, contact customer support.
## Resources
- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).

121
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
ms.reviewer:
description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
keywords: microsoft, defender, atp, linux, installation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot installation issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Verify if installation succeeded
An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
```bash
$ sudo journalctl | grep 'microsoft-mdatp' > installation.log
$ grep 'postinstall end' installation.log
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
An output from the previous command with correct date and time of installation indicates success.
Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
## Installation failed
Check if the mdatp service is running
```bash
$ systemctl status mdatp
● mdatp.service - Microsoft Defender ATP
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
Main PID: 1966 (wdavdaemon)
Tasks: 105 (limit: 4915)
CGroup: /system.slice/mdatp.service
├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
└─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
```
## Steps to troubleshoot if mdatp service isn't running
1. Check if “mdatp” user exists:
```bash
$ id “mdatp”
```
If theres no output, run
```bash
$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
$ sudo systemctl enable mdatp
$ sudo systemctl restart mdatp
```
3. If mdatp.service isn't found upon running the previous command, run
```bash
$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
where <systemd_path> is
/lib/systemd/system for Ubuntu and Debian distributions
/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
```
and then rerun step 2.
4. If the above steps dont work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. Ensure that the daemon has executable permission.
```bash
$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”.
## If mdatp service is running, but EICAR text file detection doesn't work
1. Check the file system type using:
```bash
$ findmnt -T <path_of_EICAR_file>
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
## Command-line tool “mdatp” isn't working
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
$ sudo mdatp --diagnostic --create
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

82
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, performance
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot performance issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
$ mdatp --config realTimeProtectionEnabled false
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
$ mdatp config real_time_protection_statistics_enabled on
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
$ mdatp health
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
$ mdatp --config realTimeProtectionEnabled true
```
To collect current statistics, run:
```bash
$ mdatp diagnostic real_time_protection_statistics # you can use > stat.log to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
> [!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.

27
windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md Normal file
View File

@ -0,0 +1,27 @@
---
title: What's new in Microsoft Defender Advanced Threat Protection for Linux
description: List of major changes for Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, whatsnew, release
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# What's new in Microsoft Defender Advanced Threat Protection for Linux
## 100.90.70
- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
- Improvements to make the package installation more robust
- Performance improvements & bug fixes

2
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -27,6 +27,8 @@ Live response is a capability that gives you instantaneous access to a machine u
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW]
With live response, analysts will have the ability to:
- Run basic and advanced commands to do investigative work
- Download files such as malware samples and outcomes of PowerShell scripts

14
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -41,10 +41,10 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | .test
File | A specific file identified by the full path | /var/log/test.log
Folder | All files under the specified folder | /var/log/
Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log`
Folder | All files under the specified folder | `/var/log/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`
## How to configure the list of exclusions
@ -64,15 +64,15 @@ Select the type of exclusion that you wish to add and follow the prompts.
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt

16
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -362,9 +362,9 @@ Specifies the value of tag
## Recommended configuration profile
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
The following configuration profile will:
The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:
- Enable real-time protection (RTP)
- Specify how the following threat types are handled:
- **Potentially unwanted applications (PUA)** are blocked
@ -372,7 +372,7 @@ The following configuration profile will:
- Enable cloud-delivered protection
- Enable automatic sample submission
### JAMF profile
### Property list for JAMF configuration profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
@ -491,9 +491,9 @@ The following configuration profile will:
## Full configuration profile example
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
The following templates contain entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
### JAMF profile
### Property list for JAMF configuration profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
@ -734,16 +734,16 @@ The following configuration profile contains entries for all settings described
</array>
```
## Configuration profile validation
## Property list validation
The configuration profile must be a valid *.plist* file. This can be checked by executing:
The property list must be a valid *.plist* file. This can be checked by executing:
```bash
$ plutil -lint com.microsoft.wdav.plist
com.microsoft.wdav.plist: OK
```
If the configuration profile is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
If the file is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
## Configuration profile deployment

6
windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
View File

@ -61,6 +61,12 @@ The `Production` channel contains the most stable version of the product.
| **Data type** | String |
| **Possible values** | InsiderFast <br/> External <br/> Production |
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
> ```bash
> $ defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
> ```
### Set update check frequency
Change how often MAU searches for updates.

7
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -26,6 +26,13 @@ ms.topic: conceptual
>
> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
## 100.90.27
- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel
- New product icon
- Other user experience improvements
- Bug fixes
## 100.86.92
- Improvements around compatibility with Time Machine

5
windows/security/threat-protection/microsoft-defender-atp/machine.md
View File

@ -25,6 +25,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method|Return Type |Description
:---|:---|:---
[List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
@ -36,9 +37,11 @@ Method|Return Type |Description
[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
## Properties
Property | Type | Description
Property | Type | Description
:---|:---|:---
id | String | [machine](machine.md) identity.
computerDnsName | String | [machine](machine.md) fully qualified name.

2
windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
View File

@ -122,7 +122,7 @@ It's important to understand the following prerequisites prior to creating indic
>[!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS): <br>
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
> NOTE:
>- IP is supported for all three protocols
>- Encrypted URLs (full path) can only be blocked on first party browsers

3
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
View File

@ -34,6 +34,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
The integration provides the following major improvements to the existing Cloud App Security discovery:
- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.

Some files were not shown because too many files have changed in this diff Show More