**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
+- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
-- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
+- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
## Potential reductions in functionality
After you turn this feature on, your employees might experience reduced functionality when:
-- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used.
+- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used.
-- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302).
+- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302).
-- Using first or third-party apps that use memory-based fonts.
+- Using first or third-party apps that use memory-based fonts.
-- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
+- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
-- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
+- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
## Turn on and use the Blocking Untrusted Fonts feature
Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
@@ -58,7 +58,7 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m
2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
- - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
+ - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
- **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
@@ -73,9 +73,9 @@ To turn this feature on, off, or to use audit mode:
2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
-3. Right click on the **MitigationOptions** key, and then click **Modify**.
+3. Right click on the **MitigationOptions** key, and then click **Modify**.
- The **Edit QWORD (64-bit) Value** box opens.
+ The **Edit QWORD (64-bit) Value** box opens.
4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
@@ -85,8 +85,8 @@ To turn this feature on, off, or to use audit mode:
- **To audit with this feature.** Type **3000000000000**.
- >[!Important]
- >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.
+ > [!Important]
+ > Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.
5. Restart your computer.
@@ -104,27 +104,27 @@ After you turn this feature on, or start using Audit mode, you can look at your
FontType: Memory
FontPath:
Blocked: true
-
- >[!NOTE]
- >Because the **FontType** is *Memory*, there’s no associated **FontPath**.
+
+ > [!NOTE]
+ > Because the **FontType** is *Memory*, there’s no associated **FontPath**.
**Event Example 2 - Winlogon**
Winlogon.exe attempted loading a font that is restricted by font-loading policy.
FontType: File
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
Blocked: true
-
- >[!NOTE]
- >Because the **FontType** is *File*, there’s also an associated **FontPath**.
+
+ > [!NOTE]
+ > Because the **FontType** is *File*, there’s also an associated **FontPath**.
**Event Example 3 - Internet Explorer running in Audit mode**
Iexplore.exe attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: false
-
- >[!NOTE]
- >In Audit mode, the problem is recorded, but the font isn’t blocked.
+
+ > [!NOTE]
+ > In Audit mode, the problem is recorded, but the font isn’t blocked.
## Fix apps having problems because of blocked fonts
Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@@ -133,21 +133,15 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
**To fix your apps by installing the problematic fonts (recommended)**
-- On each computer with the app installed, right-click on the font name and click **Install**.
The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there. +- On each computer with the app installed, right-click on the font name and click **Install**.
The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there.
**To fix your apps by excluding processes**
-1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+
+2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
-2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
-
## Related content
-- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
-
-
-
-
-
-
+- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index 4c9c47828e..cb05c08abe 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
-ms.date:
+ms.date: 11/30/2020
ms.reviewer:
manager: dansimp
---
@@ -31,72 +31,73 @@ manager: dansimp
Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.
-For example:
+Here are some examples:
-* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
-* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
-* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
+- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages.
+- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
+- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
-For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md).
+> [!TIP]
+> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md).
Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up.
-## How it works
+PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.
-### Microsoft Edge
+## Microsoft Edge
-The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
+The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
-#### Enable PUA protection in Chromium-based Microsoft Edge
+### Enable PUA protection in Chromium-based Microsoft Edge
Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.
1. Select the ellipses, and then choose **Settings**.
-2. Select **Privacy and services**.
-3. Under the **Services** section, turn on **Block potentially unwanted apps**.
+2. Select **Privacy, search, and services**.
+3. Under the **Security** section, turn on **Block potentially unwanted apps**.
> [!TIP]
-> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/).
+> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/).
-#### Blocking URLs with Windows Defender SmartScreen
+### Blocking URLs with Microsoft Defender SmartScreen
-In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs.
+In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs.
-Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows
+Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
-[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
+[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
-Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings.
+Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings.
-### Microsoft Defender Antivirus
+## Microsoft Defender Antivirus
The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.
> [!NOTE]
-> This feature is only available in Windows 10.
+> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.
Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
-When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
+When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history).
-#### Configure PUA protection in Microsoft Defender Antivirus
+### Configure PUA protection in Microsoft Defender Antivirus
-You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets.
+You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true).
-You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log.
+You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log.
> [!TIP]
-> You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
+> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
-PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
+PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
-##### Use Intune to configure PUA protection
+#### Use Intune to configure PUA protection
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-##### Use Configuration Manager to configure PUA protection
+#### Use Configuration Manager to configure PUA protection
PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch).
@@ -107,37 +108,39 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
> [!NOTE]
> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
-##### Use Group Policy to configure PUA protection
+#### Use Group Policy to configure PUA protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
+3. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
-4. Double-click **Configure protection for potentially unwanted applications**.
+4. Double-click **Configure detection for potentially unwanted applications**.
5. Select **Enabled** to enable PUA protection.
6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**.
-##### Use PowerShell cmdlets to configure PUA protection
+7. Deploy your Group Policy object as you usually do.
-###### To enable PUA protection
+#### Use PowerShell cmdlets to configure PUA protection
+
+##### To enable PUA protection
```PowerShell
Set-MpPreference -PUAProtection enable
```
Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
-###### To set PUA protection to audit mode
+##### To set PUA protection to audit mode
```PowerShell
Set-MpPreference -PUAProtection auditmode
```
Setting `AuditMode` will detect PUAs without blocking them.
-###### To disable PUA protection
+##### To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
@@ -148,7 +151,7 @@ Setting the value for this cmdlet to `Disabled` will turn the feature off if it
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-#### View PUA events
+### View PUA events
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune.
@@ -156,9 +159,11 @@ You can turn on email notifications to receive mail about PUA detections.
See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.
-#### Allow-listing apps
+### Allow-listing apps
-Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus.
+Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed.
+
+For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions).
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index d2c6d68716..f5e542e2f6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -14,7 +14,7 @@ ms.author: deniseb
ms.reviewer: sugamar, jcedola
manager: dansimp
ms.custom: asr
-ms.date: 10/08/2020
+ms.date: 11/30/2020
---
# Reduce attack surfaces with attack surface reduction rules
@@ -26,21 +26,35 @@ ms.date: 10/08/2020
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
+## Overview
-Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
+Your attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks.
-- Launching executable files and scripts that attempt to download or run files
-- Running obfuscated or otherwise suspicious scripts
-- Performing behaviors that apps don't usually initiate during normal day-to-day work
+Attack surface reduction rules target certain software behaviors that are often abused by attackers. Such behaviors include:
-Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
+- Launching executable files and scripts that attempt to download or run files;
+- Running obfuscated or otherwise suspicious scripts; and
+- Performing behaviors that apps don't usually initiate during normal day-to-day work.
+
+Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
+
+For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+
+## Assess rule impact before deployment
+
+You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
+
+:::image type="content" source="images/asrrecommendation.png" alt-text="Security recommendation for ASR rule":::
+
+In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.
+
+## Audit mode for evaluation
Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
+## Notifications when a rule is triggered
-For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
## Attack surface reduction features across Windows versions
@@ -54,7 +68,7 @@ To use the entire feature-set of attack surface reduction rules, you need a [Win
## Review attack surface reduction events in the Microsoft Defender Security Center
-Defender for Endpoint provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
+Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios.
You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
index ba855cf88a..99f4521685 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -9,11 +9,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
audience: ITPro
-author: appcompatguy
-ms.author: cjacks
+author: denisebmsft
+ms.author: deniseb
ms.date: 07/20/2020
-ms.reviewer:
-manager: saudm
+ms.reviewer: cjacks
+manager: dansimp
ms.custom: asr
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asrrecommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/asrrecommendation.png
new file mode 100644
index 0000000000..1ce1089fbf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asrrecommendation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png
new file mode 100644
index 0000000000..46a71a3ab6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-actions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png
new file mode 100644
index 0000000000..efd5173cfb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-policy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png
new file mode 100644
index 0000000000..a09b5f9a3a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ios-jb-settings.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
index feab52dd1a..6948f7a392 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
@@ -43,7 +43,7 @@ It's important to understand the following requirements prior to creating indica
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- The virus and threat protection definitions must be up-to-date.
-- This feature currently supports entering .CER or .PEM file extensions.
+- This feature currently supports entering .CER or .PEM (Base64 ASCII) encoding based certificates.
>[!IMPORTANT]
> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
index ad2a51ab8f..68c6dfd43f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -27,6 +27,42 @@ ms.topic: conceptual
> [!NOTE]
> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+## Configure compliance policy against jailbroken devices
+
+To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you setup the following compliance policy on Intune.
+
+> [!NOTE]
+> Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device.
+
+Follow the steps below to create a compliance policy against jailbroken devices.
+
+1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
+1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
+1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
+
## Configure custom indicators
Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators.
@@ -37,4 +73,3 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
## Web Protection
By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 87c1b96104..cb1c7d7be7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -1,6 +1,6 @@
---
title: Intune-based deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac, using Microsoft Intune.
+description: Install Microsoft Defender for Endpoint for Mac, using Microsoft Intune.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -42,7 +42,7 @@ This topic describes how to deploy Microsoft Defender for Endpoint for Mac throu
## Prerequisites and system requirements
-Before you get started, see [the main MIcrosoft Defender for EndpointP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender for Endpoint for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Overview
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
index 63eee7a042..1a4cbac837 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
@@ -24,49 +24,46 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
-iOS devices along with other platforms.
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+The public preview of Defender for Endpoint for iOS will offer protection
+against phishing and unsafe network connections from websites, emails, and apps.
+All alerts will be available through a single pane of glass in the Microsoft
+Defender Security Center. The portal gives security teams a centralized view of threats on
+iOS devices along with other platforms.
## Pre-requisites
+
**For End Users**
-- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
-
-- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- - Intune Company Portal app can be downloaded from [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
-
-- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
-
+- Defender for Endpoint license assigned to the end user(s) of the app. Refer
+ [Assign licenses to
+ users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+ for instructions on how to assign licenses.
**For Administrators**
- Access to the Microsoft Defender Security Center portal
-
- > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
- Access to [Microsoft Endpoint Manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization
+ center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
+ to enrolled user groups in your organization
**System Requirements**
-- iOS devices running iOS 11.0 and above
+- iOS devices running iOS 11.0 and later
- Device is enrolled with Intune Company Portal
[app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
-> [!NOTE]
-> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
-
-## Installation instructions
-
-Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
-For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
-
## Resources
- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
@@ -78,4 +75,4 @@ For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-i
## Next steps
- [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md)
-- [Configure Microsoft Defender for Endpoint for iOS features](ios-configure-features.md)
\ No newline at end of file
+- [Configure Microsoft Defender for Endpoint for iOS features](ios-configure-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index f36e72d95c..53f1a5d9d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -18,7 +18,7 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 09/24/2020
+ms.date: 11/30/2020
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
@@ -68,6 +68,12 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+> [!NOTE]
+> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+> Example:
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
`Get-Service -Name windefend`
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 56d43dafc5..0c20744eee 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -67,12 +67,12 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M
## Viewing Microsoft Defender SmartScreen anti-phishing events
> [!NOTE]
-> No Smartscreen events will be logged when using Microsoft Edge version 77 or later.
+> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
-When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
+When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
## Viewing Windows event logs for Microsoft Defender SmartScreen
-Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug login Event Viewer.
+Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 54140d60f7..d9e0d8d50b 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -30,7 +30,7 @@ The **Passwords must meet complexity requirements** policy setting determines wh
1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
- The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "grin" or "hagens" as a substring anywhere in the password.
+ The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password.
2. The password contains characters from three of the following categories: