diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 7bcd7f8d15..2085738ae8 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -2044,6 +2044,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list",
+ "redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md",
@@ -16519,6 +16524,16 @@
"source_path": "windows/hub/windows-10.yml",
"redirect_url": "https://docs.microsoft.com/windows/windows-10",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
+ "redirect_document_id": false
}
]
}
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 33b58da4ab..8a5ead4fe6 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Distribute offline apps
-**Applies to**
+**Applies to:**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
@@ -29,23 +29,23 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store
Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps:
-- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
+- **You don't have access to Microsoft Store services** - If your employees don't have access to the Internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
-- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
+- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
-- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
+- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
## Distribution options for offline-licensed apps
You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps:
-- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
+- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
-- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
+- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
-- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
+- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+ - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
@@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document
There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app.
-- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
+- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
-- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
+- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
-- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
+- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
-- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
+- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
-
-**To download an offline-licensed app**
+**To download an offline-licensed app**
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**.
-3. Click **Settings**.
-4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
-5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
-6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
+2. Click **Manage**.
+3. Click **Settings**.
+4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
+5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
+6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
- **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
- **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
@@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app
> [!NOTE]
> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index 42f33e8015..82518ed170 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,6 +2,14 @@
+## Week of January 25, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
+
+
## Week of January 11, 2021
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 9bad3fe712..12547591ba 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -14,41 +14,38 @@ ms.date: 06/26/2017
# FileSystem CSP
-
The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user.
-> **Note** FileSystem CSP is only supported in Windows 10 Mobile.
->
->
->
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> FileSystem CSP is only supported in Windows 10 Mobile.
-
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-**FileSystem**
+**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path.
The following properties are supported for the root node:
-- `Name`: The root node name. The Get command is the only supported command.
+- `Name`: The root node name. The Get command is the only supported command.
-- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
+- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
-- `Format`: The format, which is `node`. The Get command is the only supported command.
+- `Format`: The format, which is `node`. The Get command is the only supported command.
-- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
+- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
-- `Size`: Not supported.
+- `Size`: Not supported.
-- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
+- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
-***file directory***
+***file directory***
Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements.
The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code.
@@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d
The following properties are supported for file directories:
-- `Name`: The file directory name. The Get command is the only supported command.
+- `Name`: The file directory name. The Get command is the only supported command.
-- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command.
+- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command.
-- `Format`: The format, which is `node`. The Get command is the only supported command.
+- `Format`: The format, which is `node`. The Get command is the only supported command.
-- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
+- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
-- `Size`: Not supported.
+- `Size`: Not supported.
-- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
+- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command.
-***file name***
+***file name***
Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead.
The Delete command deletes the file.
@@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie
The following properties are supported for files:
-- `Name`: The file name. The Get command is the only supported command.
+- `Name`: The file name. The Get command is the only supported command.
-- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
+- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
-- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command.
+- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command.
-- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
+- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
-- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
+- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
-- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
+- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f68a71f820..b106637736 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -677,7 +677,7 @@ The following list shows the supported values:
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index df70a21a7c..8698b88092 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1113,8 +1113,8 @@ ADMX Info:
Supported values:
-- 0 - Disable (Default)
-- 1 - Enable
+- 0 - Disable
+- 1 - Enable (Default)
@@ -1733,18 +1733,19 @@ OS upgrade:
Update:
- Maximum deferral: 1 month
- Deferral increment: 1 week
-- Update type/notes:
- If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
- - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
- - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
- - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
- - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
- - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
- - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
- - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
- - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic:
+
+ - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
+ - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
+ - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
+ - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
+ - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
+ - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
+ - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+ - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
Other/cannot defer:
+
- Maximum deferral: No deferral
- Deferral increment: No deferral
- Update type/notes:
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 76e17626d7..01f89be64e 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin
Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
### Device compatibility
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 6b18acd8ae..38d957f492 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,8 +49,8 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
-1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
-Reminder: There won't be new ADK release for 1909.
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+ If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index c6f1fd140f..aea5913427 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -113,6 +113,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||TLSv1.2|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|TLSv1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|dlassets-ssl.xboxlive.com|
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index 7f7f58c2b8..16e55efb95 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -18,7 +18,7 @@
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+## [Windows Hello for Business](hello-for-business/index.yml)
## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 215c86beea..e6e5fa20c1 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,5 +1,5 @@
---
-title: Multifactor Unlock
+title: Multi-factor Unlock
description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
@@ -16,7 +16,7 @@ localizationpriority: medium
ms.date: 03/20/2018
ms.reviewer:
---
-# Multifactor Unlock
+# Multi-factor Unlock
**Applies to:**
- Windows 10
@@ -83,15 +83,17 @@ For example, if you include the PIN and fingerprint credential providers in both
The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
### Rule element
-You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+
**Example**
-```
+```xml
```
### Signal element
-Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+
|Attribute|Value|
|---------|-----|
@@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element
|rssiMin|"*number*"|no|
|rssiMaxDelta|"*number*"|no|
-Example:
-```
+**Example**
+```xml
@@ -142,63 +144,76 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements.
##### IPv4Prefix
-The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+
**Example**
-```
+```xml
192.168.100.0/24
```
+
The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
##### IPv4Gateway
-The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+
**Example**
-```
+```xml
192.168.100.10
```
+
##### IPv4DhcpServer
-The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+
**Example**
-```
+```xml
192.168.100.10
```
+
##### IPv4DnsServer
-The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+
**Example:**
-```
+```xml
192.168.100.10
```
##### IPv6Prefix
-The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+
**Example**
-```
+```xml
21DA:D3::/48
```
##### IPv6Gateway
-The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+
**Example**
-```
+```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
##### IPv6DhcpServer
-The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+
**Example**
-```
+```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.
+
**Example**
-```
+```xml
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
+
##### dnsSuffix
-The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+
**Example**
-```
+```xml
corp.contoso.com
```
@@ -210,15 +225,17 @@ The fully qualified domain name of your organization's internal DNS suffix where
You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
#### SSID
-Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
-```
+Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
+
+```xml
corpnetwifi
```
#### BSSID
-Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+
**Example**
-```
+```xml
12-ab-34-ff-e5-46
```
@@ -235,19 +252,22 @@ Contains the type of security the client uses when connecting to the wireless ne
|WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
**Example**
-```
+```xml
WPA2-Enterprise
```
#### TrustedRootCA
-Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+
**Example**
-```
+```xml
a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
```
+
#### Sig_quality
-Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+
**Example**
-```
+```xml
80
```
@@ -257,7 +277,8 @@ These examples are wrapped for readability. Once properly formatted, the entire
#### Example 1
This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
-```
+
+```xml
10.10.10.0/24
@@ -271,10 +292,11 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
#### Example 2
This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. This configuration is wrapped for reading. Once properly formatted, the entire XML contents must be a single line. This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
+
>[!NOTE]
>Separate each rule element using a comma.
-```
+```xml
corp.contoso.com
@@ -284,9 +306,11 @@ This example configures an IpConfig signal type using a dnsSuffix element and a
```
+
#### Example 3
This example configures the same as example 2 using compounding And elements. This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
-```
+
+```xml
@@ -296,9 +320,11 @@ This example configures the same as example 2 using compounding And elements. T
```
+
#### Example 4
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
-```
+
+```xml
contoso
@@ -332,22 +358,34 @@ The Group Policy object contains the policy settings needed to trigger Windows H
> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
> * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**.
-4. Type *Multifactor Unlock* in the name box and click **OK**.
-5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- 
-8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- 
-9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
-10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
-11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+1. Start the **Group Policy Management Console** (gpmc.msc).
- ## Troubleshooting
- Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
+3. Right-click **Group Policy object** and select **New**.
+
+4. Type *Multifactor Unlock* in the name box and click **OK**.
+
+5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
+
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
+7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+
+ 
+
+8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
+
+ 
+
+9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
+
+10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
+
+11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+
+## Troubleshooting
+Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
### Events
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index f3f064b1d1..95b07dfe0d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,5 +1,5 @@
---
-title: Windows Hello for Business Deployment Guide
+title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
@@ -13,28 +13,35 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/29/2018
+ms.date: 01/21/2021
ms.reviewer:
---
-# Windows Hello for Business Deployment Guide
+# Windows Hello for Business Deployment Overview
**Applies to**
-- Windows 10, version 1703 or later
+
+- Windows 10, version 1703 or later
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
-This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
+This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
+
+Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment.
+
+> [!NOTE]
+> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
## Assumptions
-This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
-* A well-connected, working network
-* Internet access
-* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
-* Proper name resolution, both internal and external names
-* Active Directory and an adequate number of domain controllers per site to support authentication
-* Active Directory Certificate Services 2012 or later
-* One or more workstation computers running Windows 10, version 1703
+This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+
+- A well-connected, working network
+- Internet access
+- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning
+- Proper name resolution, both internal and external names
+- Active Directory and an adequate number of domain controllers per site to support authentication
+- Active Directory Certificate Services 2012 or later
+- One or more workstation computers running Windows 10, version 1703
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
-The trust model determines how you want users to authenticate to the on-premises Active Directory:
-* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
-* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
-* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
+The trust model determines how you want users to authenticate to the on-premises Active Directory:
+
+- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
+- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
+- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!NOTE]
> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
Following are the various deployment guides and models included in this topic:
+
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
deleted file mode 100644
index d35d4dea64..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Windows Hello for Business Features
-description: Consider additional features you can use after your organization deploys Windows Hello for Business.
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-ms.reviewer:
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 11/27/2019
----
-# Windows Hello for Business Features
-
-**Applies to:**
-
-- Windows 10
-
-Consider these additional features you can use after your organization deploys Windows Hello for Business.
-
-## Conditional access
-
-Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
-
-## Dynamic lock
-
-Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md).
-
-## PIN reset
-
-Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
-
-## Dual Enrollment
-
-This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
-
-## Remote Desktop
-
-Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
deleted file mode 100644
index 0e03beb9e3..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: How Windows Hello for Business works - Technical Deep Dive
-description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Technical Deep Dive
-
-**Applies to:**
-- Windows 10
-
-Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#registration)
-- [Provisioning](#provisioning)
-- [Authentication](#authentication)
-
-## Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-[How Device Registration Works](hello-how-it-works-device-registration.md)
-
-
-## Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
-
-[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
-
-## Authentication
-
-Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 528c1b6fe8..c9844c3d80 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -19,29 +19,46 @@ ms.reviewer:
**Applies to**
-- Windows 10
+- Windows 10
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Technical Deep Dive
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+### Device Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+
+For more information read [how device registration works](hello-how-it-works-device-registration.md).
+
+### Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+
+For more information read [how provisioning works](hello-how-it-works-provisioning.md).
+
+### Authentication
+
+With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
+
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
-- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Device Registration](hello-how-it-works-device-registration.md)
-- [Provisioning](hello-how-it-works-provisioning.md)
-- [Authentication](hello-how-it-works-authentication.md)
+For more information read [how authentication works](hello-how-it-works-authentication.md).
## Related topics
+- [Technology and Terminology](hello-how-it-works-technology.md)
- [Windows Hello for Business](hello-identity-verification.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index ec12645e1d..2b5e042c13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -25,13 +25,13 @@ ms.reviewer:
- Hybrid Deployment
- Certificate Trust
-Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
+Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
-All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates.
+All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
## Certificate Templates
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
+This section has you configure certificate templates on your Windows Server 2012 (or later) Active Directory Certificate Services issuing certificate authority.
### Domain Controller certificate template
@@ -39,13 +39,13 @@ Clients need to trust domain controllers and the best way to do this is to ensur
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future.
-By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
+By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
#### Create a Domain Controller Authentication (Kerberos) Certificate Template
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -66,15 +66,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
-Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
+Many domain controllers may have an existing domain controller certificate. Active Directory Certificate Services provides a default certificate template for domain controllers--the Domain Controller certificate template. Later releases provided a new certificate template--the Domain Controller Authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
-The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
+The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers (2008 or later).
-The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
+The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate based on the Kerberos Authentication certificate template.
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -86,31 +86,32 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
-7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template, and click **OK**.
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
9. Click **OK** and close the **Certificate Templates** console.
-The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+The certificate template is configured to supersede all the certificate templates listed in the superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail.
+> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers.
### Enrollment Agent certificate template
-Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts.
-Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
+Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
> [!IMPORTANT]
-> Follow the procedures below based on the AD FS service account used in your environment.
+> Follow the procedures below based on the AD FS service account used in your environment.
#### Creating an Enrollment Agent certificate for Group Managed Service Accounts
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in to a certificate authority or management workstation with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority Management** console.
+1. Open the **Certification Authority Management** console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -123,7 +124,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
> [!NOTE]
- > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+ > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the _Build from this Active Directory information_ option, which will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with _Supply in the request_ to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
@@ -139,9 +140,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
#### Creating an Enrollment Agent certificate for typical Service Accounts
-Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
+Sign-in to a certificate authority or management workstation with *Domain Admin* equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -163,11 +164,11 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
### Creating Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring.
+During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
-Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -175,10 +176,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
- > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+ > If you use different template names, you'll need to remember and substitute these names in the relevant portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
@@ -231,39 +232,39 @@ CertUtil: -dsTemplate command completed successfully."
```
> [!NOTE]
-> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
+> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
## Publish Templates
### Publish Certificate Templates to a Certificate Authority
-The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+The certificate authority only issues certificates for certificate templates which are published by that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
#### Publish Certificate Templates to the Certificate Authority
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+5. In the **Enable Certificates Templates** window, Ctrl-select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. Close the console.
#### Unpublish Superseded Certificate Templates
-The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+The certificate authority only issues certificates based on published certificate templates. For defense-in-depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes any pre-published certificate templates from the role installation and any superseded certificate templates.
-The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+The newly-created Kerberos authentication-based Domain Controller certificate template supersedes any previous domain controller certificate templates. Therefore, you should unpublish these certificate templates from all issuing certificate authorities.
-Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+Sign-in to each certificate authority, or a management workstation with _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Expand the parent node from the navigation pane.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 18959a0f1e..1a946e82dc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -74,9 +74,8 @@ The minimum required Enterprise certificate authority that can be used with Wind
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
-* The domain controller certificate must be installed in the local computer's certificate store.
+* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki) for details.
-
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4d3512719a..d53a57bff1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,6 +1,6 @@
---
-title: Windows Hello for Business (Windows 10)
-description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices.
+title: Windows Hello for Business Deployment Prerequisite Overview
+description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport
@@ -15,29 +15,14 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 05/05/2018
+ms.date: 1/22/2021
---
-# Windows Hello for Business
+# Windows Hello for Business Deployment Prerequisite Overview
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
+This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-Windows Hello addresses the following problems with passwords:
-
-- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
-
-> | | | |
-> | :---: | :---: | :---: |
-> | [](hello-overview.md)[Overview](hello-overview.md) | [](hello-why-pin-is-better-than-password.md)[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [](hello-manage-in-organization.md)[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
-
-
-## Prerequisites
-
-### Cloud Only Deployment
+## Cloud Only Deployment
* Windows 10, version 1511 or later
* Microsoft Azure Account
@@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords:
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
-### Hybrid Deployments
+## Hybrid Deployments
-The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
+The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
| --- | --- | --- | --- |
@@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-### On-premises Deployments
+## On-premises Deployments
The table shows the minimum requirements for each deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index cb3a0081f2..57805caf8b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -19,13 +19,15 @@ ms.reviewer:
# Planning a Windows Hello for Business Deployment
**Applies to**
-- Windows 10
+
+- Windows 10
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
+> [!Note]
+>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
## Using this guide
@@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on
Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
-* Deployment Options
-* Client
-* Management
-* Active Directory
-* Public Key Infrastructure
-* Cloud
+
+- Deployment Options
+- Client
+- Management
+- Active Directory
+- Public Key Infrastructure
+- Cloud
### Baseline Prerequisites
@@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza
There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
##### Cloud only
+
The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
##### Hybrid
+
The hybrid deployment model is for organizations that:
-* Are federated with Azure Active Directory
-* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
-* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+
+- Are federated with Azure Active Directory
+- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important]
> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
@@ -154,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
### Cloud
-Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
+Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
## Planning a Deployment
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
new file mode 100644
index 0000000000..4282b8e701
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -0,0 +1,110 @@
+### YamlMime:Landing
+
+title: Windows Hello for Business documentation
+summary: Learn how to manage and deploy Windows Hello for Business.
+
+metadata:
+ title: Windows Hello for Business documentation
+ description: Learn how to manage and deploy Windows Hello for Business.
+ ms.prod: w10
+ ms.topic: landing-page
+ author: mapalko
+ manager: dansimp
+ ms.author: mapalko
+ ms.date: 01/22/2021
+ ms.collection: M365-identity-device-management
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: About Windows Hello For Business
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows Hello for Business Overview
+ url: hello-overview.md
+ - linkListType: concept
+ links:
+ - text: Passwordless Strategy
+ url: passwordless-strategy.md
+ - text: Why a PIN is better than a password
+ url: hello-why-pin-is-better-than-password.md
+ - text: Windows Hello biometrics in the enterprise
+ url: hello-biometrics-in-enterprise.md
+ - text: How Windows Hello for Business works
+ url: hello-how-it-works.md
+ - linkListType: learn
+ links:
+ - text: Technical Deep Dive - Device Registration
+ url: hello-how-it-works-device-registration.md
+ - text: Technical Deep Dive - Provisioning
+ url: hello-how-it-works-provisioning.md
+ - text: Technical Deep Dive - Authentication
+ url: hello-how-it-works-authentication.md
+ - text: Technology and Terminology
+ url: hello-how-it-works-technology.md
+ - text: Frequently Asked Questions (FAQ)
+ url: hello-faq.yml
+
+ # Card
+ - title: Configure and manage Windows Hello for Business
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: Windows Hello for Business Deployment Overview
+ url: hello-deployment-guide.md
+ - text: Planning a Windows Hello for Business Deployment
+ url: hello-planning-guide.md
+ - text: Deployment Prerequisite Overview
+ url: hello-identity-verification.md
+ - linkListType: how-to-guide
+ links:
+ - text: Hybrid Azure AD Joined Key Trust Deployment
+ url: hello-hybrid-key-trust.md
+ - text: Hybrid Azure AD Joined Certificate Trust Deployment
+ url: hello-hybrid-cert-trust.md
+ - text: On-premises SSO for Azure AD Joined Devices
+ url: hello-hybrid-aadj-sso.md
+ - text: On-premises Key Trust Deployment
+ url: hello-deployment-key-trust.md
+ - text: On-premises Certificate Trust Deployment
+ url: hello-deployment-cert-trust.md
+ - linkListType: learn
+ links:
+ - text: Manage Windows Hello for Business in your organization
+ url: hello-manage-in-organization.md
+ - text: Windows Hello and password changes
+ url: hello-and-password-changes.md
+ - text: Prepare people to use Windows Hello
+ url: hello-prepare-people-to-use.md
+
+ # Card
+ - title: Windows Hello for Business Features
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Conditional Access
+ url: hello-feature-conditional-access.md
+ - text: PIN Reset
+ url: hello-feature-pin-reset.md
+ - text: Dual Enrollment
+ url: hello-feature-dual-enrollment.md
+ - text: Dynamic Lock
+ url: hello-feature-dynamic-lock.md
+ - text: Multi-factor Unlock
+ url: feature-multifactor-unlock.md
+ - text: Remote Desktop
+ url: hello-feature-remote-desktop.md
+
+ # Card
+ - title: Windows Hello for Business Troubleshooting
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Known Deployment Issues
+ url: hello-deployment-issues.md
+ - text: Errors During PIN Creation
+ url: hello-errors-during-pin-creation.md
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index dd1b6b18e0..87e71bc747 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
deleted file mode 100644
index b046ac97ee..0000000000
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# [Windows Hello for Business](hello-identity-verification.md)
-
-## [Password-less Strategy](passwordless-strategy.md)
-
-## [Windows Hello for Business Overview](hello-overview.md)
-## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
-## [Windows Hello for Business Features](hello-features.md)
-### [Conditional Access](hello-feature-conditional-access.md)
-### [Dual Enrollment](hello-feature-dual-enrollment.md)
-### [Dynamic Lock](hello-feature-dynamic-lock.md)
-### [Multifactor Unlock](feature-multifactor-unlock.md)
-### [PIN Reset](hello-feature-pin-reset.md)
-### [Remote Desktop](hello-feature-remote-desktop.md)
-
-## [How Windows Hello for Business works](hello-how-it-works.md)
-### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
-#### [Device Registration](hello-how-it-works-device-registration.md)
-#### [Provisioning](hello-how-it-works-provisioning.md)
-#### [Authentication](hello-how-it-works-authentication.md)
-#### [Technology and Terminology](hello-how-it-works-technology.md)
-
-## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
-
-## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-
-## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
-
-### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-#### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-key-new-install.md)
-#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
-#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
-
-### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-cert-new-install.md)
-#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
-### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
-#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
-
-### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
-
-### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
-#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
-
-## [Windows Hello and password changes](hello-and-password-changes.md)
-## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-
-## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml)
-### [Windows Hello for Business Videos](hello-videos.md)
-
-## Windows Hello for Business Troubleshooting
-### [Known Deployment Issues](hello-deployment-issues.md)
-### [Errors during PIN creation](hello-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
new file mode 100644
index 0000000000..8a29bb7d81
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -0,0 +1,137 @@
+- name: Windows Hello for Business documentation
+ href: index.yml
+- name: Overview
+ items:
+ - name: Windows Hello for Business Overview
+ href: hello-overview.md
+- name: Concepts
+ expanded: true
+ items:
+ - name: Passwordless Strategy
+ href: passwordless-strategy.md
+ - name: Why a PIN is better than a password
+ href: hello-why-pin-is-better-than-password.md
+ - name: Windows Hello biometrics in the enterprise
+ href: hello-biometrics-in-enterprise.md
+ - name: How Windows Hello for Business works
+ href: hello-how-it-works.md
+ - name: Technical Deep Dive
+ items:
+ - name: Device Registration
+ href: hello-how-it-works-device-registration.md
+ - name: Provisioning
+ href: hello-how-it-works-provisioning.md
+ - name: Authentication
+ href: hello-how-it-works-authentication.md
+- name: How-to Guides
+ items:
+ - name: Windows Hello for Business Deployment Overview
+ href: hello-deployment-guide.md
+ - name: Planning a Windows Hello for Business Deployment
+ href: hello-planning-guide.md
+ - name: Deployment Prerequisite Overview
+ href: hello-identity-verification.md
+ - name: Prepare people to use Windows Hello
+ href: hello-prepare-people-to-use.md
+ - name: Deployment Guides
+ items:
+ - name: Hybrid Azure AD Joined Key Trust
+ items:
+ - name: Hybrid Azure AD Joined Key Trust Deployment
+ href: hello-hybrid-key-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-key-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-key-new-install.md
+ - name: Configure Directory Synchronization
+ href: hello-hybrid-key-trust-dirsync.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-key-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-key-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-key-whfb-provision.md
+ - name: Hybrid Azure AD Joined Certificate Trust
+ items:
+ - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ href: hello-hybrid-cert-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-cert-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-cert-new-install.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-cert-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-cert-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-cert-whfb-provision.md
+ - name: On-premises SSO for Azure AD Joined Devices
+ items:
+ - name: On-premises SSO for Azure AD Joined Devices Deployment
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Using Certificates for AADJ On-premises Single-sign On
+ href: hello-hybrid-aadj-sso-cert.md
+ - name: On-premises Key Trust
+ items:
+ - name: On-premises Key Trust Deployment
+ href: hello-deployment-key-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-key-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-key-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-key-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-key-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-key-trust-policy-settings.md
+ - name: On-premises Certificate Trust
+ items:
+ - name: On-premises Certificate Trust Deployment
+ href: hello-deployment-cert-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-cert-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-cert-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-cert-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-cert-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-cert-trust-policy-settings.md
+ - name: Managing Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
+ - name: Windows Hello for Business Features
+ items:
+ - name: Conditional Access
+ href: hello-feature-conditional-access.md
+ - name: PIN Reset
+ href: hello-feature-pin-reset.md
+ - name: Dual Enrollment
+ href: hello-feature-dual-enrollment.md
+ - name: Dynamic Lock
+ href: hello-feature-dynamic-lock.md
+ - name: Multi-factor Unlock
+ href: feature-multifactor-unlock.md
+ - name: Remote Desktop
+ href: hello-feature-remote-desktop.md
+ - name: Troubleshooting
+ items:
+ - name: Known Deployment Issues
+ href: hello-deployment-issues.md
+ - name: Errors During PIN Creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
+- name: Reference
+ items:
+ - name: Technology and Terminology
+ href: hello-how-it-works-technology.md
+ - name: Frequently Asked Questions (FAQ)
+ href: hello-faq.yml
+ - name: Windows Hello for Business videos
+ href: hello-videos.md
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index f57abc302f..dd87cded73 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 76bfdf55f4..805b02475c 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -176,7 +176,6 @@
###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
@@ -479,6 +478,7 @@
#### [General]()
##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
+##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
@@ -527,6 +527,7 @@
##### [Microsoft Defender for Endpoint APIs Schema]()
###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md)
+###### [Release Notes](microsoft-defender-atp/api-release-notes.md)
###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index fc1d481a34..f0f08773af 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -20,6 +20,9 @@ ms.technology: mde
# Threat Protection
[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
deleted file mode 100644
index e99e915192..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: What to do with false positives/negatives in Microsoft Defender Antivirus
-description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
-keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 01/26/2021
-ms.reviewer: shwetaj
-manager: dansimp
-audience: ITPro
-ms.topic: article
-ms.technology: mde
----
-
-# What to do with false positives/negatives in Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-
-What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can:
-- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis)
-- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
-- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
-
-> [!TIP]
-> This article focuses on false positives in Microsoft Defender Antivirus. If you want guidance for Microsoft Defender for Endpoint, which includes next-generation protection, endpoint detection and response, automated investigation and remediation, and more, see [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md).
-
-## Submit a file to Microsoft for analysis
-
-1. Review the [submission guidelines](../intelligence/submission-guide.md).
-2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
-
-> [!TIP]
-> We recommend signing in at the submission portal so you can track the results of your submissions.
-
-## Create an "Allow" indicator to prevent a false positive from recurring
-
-If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender for Endpoint) that the item is safe.
-
-To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
-
-## Define an exclusion on an individual Windows device to prevent an item from being scanned
-
-When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
-
-1. On your Windows 10 device, open the Windows Security app.
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
-3. Under **Exclusions**, select **Add or remove exclusions**.
-4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**).
-
-The following table summarizes exclusion types, how they're defined, and what happens when they're in effect.
-
-|Exclusion type |Defined by |What happens |
-|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-
-To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
-
-## Related articles
-
-[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
-
-[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-
-[Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index 3849774f8b..ef143bfe39 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -50,7 +50,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
## Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
### Use Group Policy to enable the shared security intelligence feature:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index dc721c7813..f56820cf7f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -11,7 +11,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
-ms.date: 01/08/2021
+ms.date: 02/03/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
### Blocking URLs with Microsoft Defender SmartScreen
-In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs.
+In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
-Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings.
+Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
## Microsoft Defender Antivirus
@@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi
You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true).
-You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log.
+You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
> [!TIP]
> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
@@ -112,21 +112,13 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
#### Use Group Policy to configure PUA protection
1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
-
2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-
3. Select the Group Policy Object you want to configure, and then choose **Edit**.
-
4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
-
6. Double-click **Configure detection for potentially unwanted applications**.
-
7. Select **Enabled** to enable PUA protection.
-
-8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**.
-
+8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
9. Deploy your Group Policy object as you usually do.
#### Use PowerShell cmdlets to configure PUA protection
@@ -134,31 +126,49 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
##### To enable PUA protection
```PowerShell
-Set-MpPreference -PUAProtection enable
+Set-MpPreference -PUAProtection Enabled
```
-Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
+
+Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled.
##### To set PUA protection to audit mode
```PowerShell
-Set-MpPreference -PUAProtection auditmode
+Set-MpPreference -PUAProtection AuditMode
```
-Setting `AuditMode` will detect PUAs without blocking them.
+
+Setting `AuditMode` detects PUAs without blocking them.
##### To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
```PowerShell
-Set-MpPreference -PUAProtection disable
+Set-MpPreference -PUAProtection Disabled
```
-Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled.
+
+Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### View PUA events
-PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune.
+PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
+
+```console
+CategoryID : 27
+DidThreatExecute : False
+IsActive : False
+Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
+ fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
+RollupStatus : 33
+SchemaVersion : 1.0.0.0
+SeverityID : 1
+ThreatID : 213927
+ThreatName : PUA:Win32/InstallCore
+TypeID : 0
+PSComputerName :
+```
You can turn on email notifications to receive mail about PUA detections.
@@ -166,11 +176,11 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d
### Allow-listing apps
-Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed.
+Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed.
For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions).
-## Related articles
+## See also
- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index a93bfb03a8..8bf9a478a0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 01/07/2021
+ms.date: 02/04/2021
ms.technology: mde
---
@@ -90,7 +90,6 @@ All our updates contain
### What's new
- Improved SmartScreen status support logging
-- Apply CPU throttling policy to manually initiated scans
### Known Issues
No known issues
@@ -387,6 +386,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+1.1.2102.03
+
+ Package version: **1.1.2102.03**
+ Platform version: **4.18.2011.6**
+ Engine version: **1.17800.5**
+ Signature version: **1.331.174.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+
1.1.2101.02
Package version: **1.1.2101.02**
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index ad505f776b..20419165db 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: tewchen, pahuijbr, shwjha
manager: dansimp
-ms.date: 01/22/2021
+ms.date: 01/27/2021
ms.technology: mde
---
@@ -89,10 +89,12 @@ The table in this section summarizes the functionality and features that are ava
| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No |
| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
-(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. However, if [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) (Endpoint DLP) is configured and in effect, protective actions are enforced. Endpoint DLP works with real-time protection and behavior monitoring.
+(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
+> [!NOTE]
+> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
## Keep the following points in mind
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index e63643ed0a..3abe07fc71 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -13,57 +13,51 @@ ms.topic: article
author: dansimp
ms.author: dansimp
ms.custom: nextgen
-ms.date: 09/10/2020
+ms.date: 02/04/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
---
# Onboard Windows 10 multi-session devices in Windows Virtual Desktop
-6 minutes to read
Applies to:
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
-> [!IMPORTANT]
-> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
-
-> [!WARNING]
-> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.
Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
## Before you begin
-Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts.
+Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
> [!NOTE]
-> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either:
+> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either:
> - Single entry for each virtual desktop
> - Multiple entries for each virtual desktop
-Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
+Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
-Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
+Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
> [!NOTE]
> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
-### Scenarios
+## Scenarios
There are several ways to onboard a WVD host machine:
- Run the script in the golden image (or from a shared location) during startup.
- Use a management tool to run the script.
-#### *Scenario 1: Using local group policy*
+### Scenario 1: Using local group policy
This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
Follow the instructions for a single entry for each device.
-#### *Scenario 2: Using domain group policy*
+### Scenario 2: Using domain group policy
This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
-**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center**
+#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- Select Windows 10 as the operating system.
@@ -71,7 +65,7 @@ This scenario uses a centrally located script and runs it using a domain-based g
- Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
-**Use Group Policy management console to run the script when the virtual machine starts**
+#### Use Group Policy management console to run the script when the virtual machine starts
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
@@ -86,7 +80,7 @@ Enter the following:
Click **OK** and close any open GPMC windows.
-#### *Scenario 3: Onboarding using management tools*
+### Scenario 3: Onboarding using management tools
If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
@@ -98,18 +92,18 @@ For more information, see: [Onboard Windows 10 devices using Configuration Manag
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
-#### Tagging your machines when building your golden image
+## Tagging your machines when building your image
As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value).
-#### Other recommended configuration settings
+## Other recommended configuration settings
-When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings).
+When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings).
In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection:
-**Exclude Files:**
+### Exclude Files
> %ProgramFiles%\FSLogix\Apps\frxdrv.sys
> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
@@ -121,12 +115,12 @@ In addition, if you are using FSlogix user profiles, we recommend you exclude th
> \\storageaccount.file.core.windows.net\share\*\*.VHD
> \\storageaccount.file.core.windows.net\share\*\*.VHDX
-**Exclude Processes:**
+### Exclude Processes
> %ProgramFiles%\FSLogix\Apps\frxccd.exe
> %ProgramFiles%\FSLogix\Apps\frxccds.exe
> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
-#### Licensing requirements
+## Licensing requirements
Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index f6b1666c6c..da475d40a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -69,45 +69,145 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib
category| String | Category of the alert.
detectionSource | String | Detection source.
threatFamilyName | String | Threat family.
+threatName | String | Threat name.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
computerDnsName | String | [machine](machine.md) fully qualified name.
aadTenantId | String | The Azure Active Directory ID.
-comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
+detectorId | String | The ID of the detector that triggered the alert.
+comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
+Evidence | List of Alert evidence | Evidence related to the alert. See example below.
### Response example for getting single alert:
-```
-GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499
+```http
+GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
```
```json
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "investigationState": "Running",
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
- }
- ]
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
+ "resolvedTime": null,
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
+ "evidence": [
+ {
+ "entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ }
+ ]
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
new file mode 100644
index 0000000000..441c3cbd30
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
@@ -0,0 +1,73 @@
+---
+title: Microsoft Defender for Endpoint API release notes
+description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs.
+keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release
+search.product: eADQiWindows 10XVcnh
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.technology: mde
+---
+
+# Microsoft Defender for Endpoint API release notes
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made.
+
+
+### 25.01.2021
+
+
+- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute.
+
+
+
+### 21.01.2021
+
+
+- Added new API: [Find devices by tag](machine-tags.md).
+- Added new API: [Import Indicators](import-ti-indicators.md).
+
+
+
+### 03.01.2021
+
+
+- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
+- Updated [Alert entity](alerts.md): added ***detectorId*** property.
+
+
+
+### 15.12.2020
+
+
+- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
+
+
+
+### 04.11.2020
+
+
+- Added new API: [Set device value](set-device-value.md).
+- Updated [Device](machine.md) entity: added ***deviceValue*** property.
+
+
+
+### 01.09.2020
+
+
+- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).
+
+
+
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 6bc883ca30..846bc4dbca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -43,15 +43,15 @@ For more information about configuring attack surface reduction rules, see [Enab
## Assess rule impact before deployment
-You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
+You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
-In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.
+In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
## Audit mode for evaluation
-Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
## Warn mode for users
@@ -95,13 +95,13 @@ Notifications and any alerts that are generated can be viewed in the Microsoft D
You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
-For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM.
+For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM.
For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
## Attack surface reduction features across Windows versions
-You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
@@ -135,7 +135,7 @@ You can review the Windows event log to view events generated by attack surface
You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
|Event ID | Description |
-|---|---|
+|:---|:---|
|5007 | Event when settings are changed |
|1121 | Event when rule fires in Block-mode |
|1122 | Event when rule fires in Audit-mode |
@@ -169,9 +169,9 @@ If you are configuring attack surface reduction rules by using Group Policy or P
### Block Adobe Reader from creating child processes
-This rule prevents attacks by blocking Adobe Reader from creating additional processes.
+This rule prevents attacks by blocking Adobe Reader from creating processes.
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
+Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
@@ -188,7 +188,7 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
@@ -353,7 +353,7 @@ GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
-This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
@@ -426,7 +426,7 @@ GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
This rule prevents VBA macros from calling Win32 APIs.
-Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
+Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 3e1fad5b1a..060c2d575a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -42,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr
For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
+
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
@@ -56,13 +57,13 @@ After completing the onboarding steps using any of the provided options, you'll
> [!NOTE]
-> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
+> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
-If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
+If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
In general, you'll need to take the following steps:
1. Fulfill the onboarding requirements outlined in **Before you begin** section.
@@ -98,10 +99,13 @@ Perform the following steps to fulfill the onboarding requirements:
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
+ - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
+ - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
+> [!NOTE]
+> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
@@ -140,6 +144,8 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
+
+
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
@@ -179,12 +185,14 @@ Support for Windows Server provides deeper insight into server activities, cover
```sc.exe query Windefend```
- If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
+ If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
+
+
## Integration with Azure Security Center
-Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
@@ -202,6 +210,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten
> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
+
## Configure and update System Center Endpoint Protection clients
@@ -212,7 +221,7 @@ The following steps are required to enable this integration:
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
-
+
## Offboard Windows servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
@@ -264,6 +273,9 @@ To offboard the Windows server, you can use either of the following methods:
$AgentCfg.ReloadConfiguration()
```
+
+
+
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md
new file mode 100644
index 0000000000..5c24aa1ae7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md
@@ -0,0 +1,93 @@
+---
+title: Configure vulnerability email notifications in Microsoft Defender for Endpoint
+description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events.
+keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure vulnerability email notifications in Microsoft Defender for Endpoint
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
+
+Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability.
+
+> [!NOTE]
+> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
+
+The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added.
+
+If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
+Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
+
+The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
+
+## Create rules for alert notifications
+
+Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
+
+1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**.
+
+2. Select **Add notification rule**.
+
+3. Name the email notification rule and include a description.
+
+4. Check **Notification enabled** to activate the notification. Select **Next**
+
+5. Fill in the notification settings. Then select **Next**
+
+ - Choose device groups to get notifications for.
+ - Choose the vulnerability event(s) that you want to be notified about when they affect your organization.
+ - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified.
+ - Include organization name if you want the organization name in the email
+
+6. Enter the recipient email address then select **Add**. You can add multiple email addresses.
+
+7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it.
+
+## Edit a notification rule
+
+1. Select the notification rule you'd like to edit.
+
+2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule.
+
+## Delete notification rule
+
+1. Select the notification rule you'd like to delete.
+
+2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule.
+
+## Troubleshoot email notifications for alerts
+
+This section lists various issues that you may encounter when using email notifications for alerts.
+
+**Problem:** Intended recipients report they are not getting the notifications.
+
+**Solution:** Make sure that the notifications are not blocked by email filters:
+
+1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
+2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.
+3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index f193b2eca8..b6ab784185 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -1,5 +1,5 @@
---
-title: Prevent ransomware and threats from encrypting and changing files
+title: Protect important folders from ransomware from encrypting your files with controlled folder access
description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
audience: ITPro
-ms.date: 12/17/2020
+ms.date: 02/03/2021
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@@ -35,21 +35,24 @@ Controlled folder access helps protect your valuable data from malicious apps an
Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+> [!TIP]
+> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md).
+
## How does controlled folder access work?
Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
-Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders.
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders.
Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
-Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
+Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
## Why controlled folder access is important
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -66,6 +69,7 @@ Windows system folders are protected by default, along with several other folder
- `c:\Users\\Pictures`
- `c:\Users\Public\Pictures`
- `c:\Users\Public\Videos`
+- `c:\Users\\Videos`
- `c:\Users\\Music`
- `c:\Users\Public\Music`
- `c:\Users\\Favorites`
@@ -95,13 +99,9 @@ DeviceEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
-
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
3. On the left panel, under **Actions**, select **Import custom view...**.
-
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
-
5. Select **OK**.
The following table shows events related to controlled folder access:
@@ -117,17 +117,11 @@ The following table shows events related to controlled folder access:
You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
1. On your Windows 10 device, open the Windows Security app.
-
2. Select **Virus & threat protection**.
-
3. Under **Ransomware protection**, select **Manage ransomware protection**.
-
4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
-
5. Do one of the following steps:
-
- To add a folder, select **+ Add a protected folder**.
-
- To remove a folder, select it, and then select **Remove**.
> [!NOTE]
@@ -137,4 +131,4 @@ You can use the Windows Security app to view the list of folders that are protec
- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
- [Customize controlled folder access](customize-controlled-folders.md)
-- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders)
+- [Protect more folders](customize-controlled-folders.md#protect-additional-folders)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 6dd72d0e5a..1f5d1af7b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -114,6 +114,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
+- **Restrict app execution**—sets restrictions on the device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution)
### Actions on files
@@ -122,6 +123,10 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
+### Actions on users
+
+- **Mark user as compromised**—sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
+
## 5. Set the rule scope.
Set the scope to specify which devices are covered by the rule:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index caeb8f45d2..6a64647a0c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 01/26/2021
+ms.date: 01/27/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -52,7 +52,7 @@ And, you can [get help if you still have issues with false positives/negatives](
## Part 1: Review and classify alerts
-If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
+If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
@@ -61,24 +61,24 @@ Managing your alerts and classifying true/false positives helps to train your th
Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, choose **Alerts queue**.
-3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
-4. Depending on the alert status, take the steps described in the following table:
+2. In the navigation pane, choose **Alerts queue**.
+3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
+4. Depending on the alert status, take the steps described in the following table:
- | Alert status | What to do |
- |:---|:---|
- | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
- | The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
- | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
+| Alert status | What to do |
+|:---|:---|
+| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
+| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
+| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
### Classify an alert
-You can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts.
+Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts.
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. Select **Alerts queue**, and then select an alert that is a false positive.
-3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
-4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.)
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. Select **Alerts queue**, and then select an alert.
+3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
+4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.)
> [!TIP]
> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
@@ -87,18 +87,18 @@ You can classify an alert as a false positive or a true positive in the Microsof
If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard.
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, select **Alerts queue**.
-3. Select an alert that you want to suppress to open its **Details** pane.
-4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**.
-5. Specify all the settings for your suppression rule, and then choose **Save**.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. In the navigation pane, select **Alerts queue**.
+3. Select an alert that you want to suppress to open its **Details** pane.
+4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**.
+5. Specify all the settings for your suppression rule, and then choose **Save**.
> [!TIP]
> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
## Part 2: Review remediation actions
-[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include:
+[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus:
- Quarantine a file
- Remove a registry key
- Kill a process
@@ -106,45 +106,44 @@ If you have alerts that are either false positives or that are true positives bu
- Disable a driver
- Remove a scheduled task
-Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone.
+Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone.
After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can:
-- [undo one action at a time](#undo-an-action);
-- [undo multiple actions at one time](#undo-multiple-actions-at-one-time); and
-- [remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices).
+- [Undo one action at a time](#undo-an-action);
+- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and
+- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices).
When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions).
### Review completed actions
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. Select the **History** tab to view a list of actions that were taken.
+2. Select the **History** tab to view a list of actions that were taken.
3. Select an item to view more details about the remediation action that was taken.
### Undo an action
-If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo most remediation actions.
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select an action that you want to undo.
-3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).)
+3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).)
### Undo multiple actions at one time
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. On the **History** tab, select the actions that you want to undo.
-3. In the pane on the right side of the screen, select **Undo**.
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. On the **History** tab, select the actions that you want to undo.
+3. In the pane on the right side of the screen, select **Undo**.
### Remove a file from quarantine across multiple devices
+
+
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
-3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
-
+3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
## Part 3: Review or define exclusions
-An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
+An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
@@ -157,7 +156,7 @@ The procedures in this section describe how to define exclusions and indicators.
### Exclusions for Microsoft Defender Antivirus
-In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well.
+In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
> [!TIP]
> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
@@ -186,13 +185,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti
[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
-To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to the following capabilities:
+To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
-- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
-- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
-
-You can create indicators for:
+"Allow" indicators can be created for:
- [Files](#indicators-for-files)
- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
@@ -205,7 +200,7 @@ You can create indicators for:
When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
Before you create indicators for files, make sure the following requirements are met:
-- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
- Antimalware client version is 4.18.1901.x or later
- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)
@@ -215,28 +210,28 @@ Before you create indicators for files, make sure the following requirements are
When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked.
Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:
-- Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
+- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
- Antimalware client version is 4.18.1906.x or later
- Devices are running Windows 10, version 1709, or later
-Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).)
+Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features))
#### Indicators for application certificates
When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
Before you create indicators for application certificates, make sure the following requirements are met:
-- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
- Antimalware client version is 4.18.1901.x or later
- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
- Virus and threat protection definitions are up to date
> [!TIP]
-> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
+> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
## Part 4: Submit a file for analysis
-You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions.
+You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions.
### Submit a file for analysis
@@ -272,7 +267,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi
## Part 5: Review and adjust your threat protection settings
-Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular:
+Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to:
- [Cloud-delivered protection](#cloud-delivered-protection)
- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications)
@@ -287,6 +282,8 @@ Check your cloud-delivered protection level for Microsoft Defender Antivirus. By
We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings.
+We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+
#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies)
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
@@ -311,13 +308,13 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere
### Remediation for potentially unwanted applications
Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation.
-
-Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
-
-We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings.
> [!TIP]
> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+
+Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
+
+We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles)
@@ -344,18 +341,17 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team.
+Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then
- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation).
-> [!TIP]
+> [!IMPORTANT]
> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
-
## Still need help?
-If you have worked through all the steps in this article and still need help, your best bet is to contact technical support.
+If you have worked through all the steps in this article and still need help, contact technical support.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**.
@@ -365,4 +361,4 @@ If you have worked through all the steps in this article and still need help, yo
[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
-[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
\ No newline at end of file
+[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
index de1ec91182..b5683ec66f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 44d58c8d1e..c34737f912 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -99,7 +99,7 @@ Example:
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-`Value: c:\path|e:\path|c:\Whitelisted.exe`
+`Value: c:\path|e:\path|c:\Exclusions.exe`
> [!NOTE]
> Be sure to enter OMA-URI values without spaces.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index ab3344e02c..0d88d39023 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -44,7 +44,7 @@ Not all properties are filterable.
### Example 1
-Get 10 latest Alerts with related Evidence
+Get 10 latest Alerts with related Evidence:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
@@ -57,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
"evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
{
"entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
@@ -135,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
"ipAddress": null,
"url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
}
]
},
@@ -152,7 +189,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
-Get all the alerts last updated after 2019-11-22 00:00:00
+Get all the alerts last updated after 2019-11-22 00:00:00:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
@@ -188,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
@@ -208,7 +251,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
### Example 3
-Get all the devices with 'High' 'RiskScore'
+Get all the devices with 'High' 'RiskScore':
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High'
@@ -221,25 +264,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
"healthStatus": "Active",
- "rbacGroupId": 140,
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "High",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
@@ -247,7 +304,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor
### Example 4
-Get top 100 devices with 'HealthStatus' not equals to 'Active'
+Get top 100 devices with 'HealthStatus' not equals to 'Active':
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
@@ -260,25 +317,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "ImpairedCommunication",
- "rbacGroupId": 140,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
@@ -286,7 +357,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt
### Example 5
-Get all the devices that last seen after 2018-10-20
+Get all the devices that last seen after 2018-10-20:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z
@@ -299,25 +370,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "ImpairedCommunication",
- "rbacGroupId": 140,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
@@ -325,7 +410,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen
### Example 6
-Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint
+Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint:
```http
HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
@@ -384,25 +469,39 @@ json{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "ImpairedCommunication",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "osPlatform": "Windows10",
+ "osProcessor": "x64",
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
+ "rbacGroupName": "The-A-Team",
+ "riskScore": "Low",
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index 60d47669c1..4a56186c19 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -56,7 +56,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id}/machine
```
@@ -90,24 +91,37 @@ Here is an example of the response.
```json
{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity",
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "osPlatform": "Windows10",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
+ "riskScore": "Low",
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index eb0067b2ba..47af279049 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -128,6 +128,12 @@ Here is an example of the response.
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
@@ -170,75 +176,51 @@ Here is an example of the response.
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
"evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
{
"entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
@@ -248,13 +230,74 @@ Here is an example of the response.
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
"ipAddress": null,
"url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
}
]
},
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 0a6ff20f30..76dc993182 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
Permission type | Permission | Permission display name
:---|:---|:---
@@ -93,25 +93,37 @@ Here is an example of the response.
```json
{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
"healthStatus": "Active",
- "rbacGroupId": 140,
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
}
-
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 42a179a64f..44e815ff37 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -33,9 +33,12 @@ ms.technology: mde
## API description
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-
See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
+
+Supports [OData V4 queries](https://www.odata.org/documentation/).
+
+The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
+
+See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md).
## Limitations
@@ -55,8 +58,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information).
+>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md).
## HTTP request
@@ -97,25 +100,39 @@ Here is an example of the response.
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
"osPlatform": "Windows10",
- "version": "1709",
"osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
"healthStatus": "Active",
- "rbacGroupId": 140,
+ "deviceValue": "Normal",
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
- }
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
+ },
...
]
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md
index 2bde8df0d5..972dc7f639 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md
@@ -31,8 +31,16 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers
> [!NOTE]
> If you are a "GCC on Commercial" customer, please refer to the public documentation pages.
-
+## Portal URLs
+The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
+
+Customer type | Portal URL
+:---|:---
+GCC | https://gcc.securitycenter.microsoft.us
+GCC High | https://securitycenter.microsoft.us
+
+
## Endpoint versions
@@ -63,7 +71,10 @@ Android |  On engineering backlog |  On engineering backlog |  On engineering backlog
> [!NOTE]
-> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
+> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
+
+> [!NOTE]
+> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
### OS versions when using Azure Defender for Servers
The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp):
@@ -88,7 +99,6 @@ Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`win
-
## API
Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs:
@@ -100,7 +110,6 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
-
## Feature parity with commercial
Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
@@ -114,18 +123,18 @@ Email notifications |  Rolling out |  |  In development
Management and APIs: Device health and compliance report |  |  In development
Management and APIs: Integration with third-party products |  |  In development
-Management and APIs: Streaming API |  Rolling out |  In development
+Management and APIs: Streaming API |  |  In development
Management and APIs: Threat protection report |  |  In development
Threat & vulnerability management |  |  In development
Threat analytics |  |  In development
Web content filtering |  In development |  In development
-Integrations: Azure Sentinel |  Rolling out |  In development
+Integrations: Azure Sentinel |  |  In development
Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog
Integrations: Microsoft Intune |  |  In development
-Integrations: Microsoft Power Automate & Azure Logic Apps |  Rolling out |  In development
+Integrations: Microsoft Power Automate & Azure Logic Apps |  |  In development
Integrations: Skype for Business / Teams |  |  In development
Microsoft Threat Experts |  On engineering backlog |  On engineering backlog
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
index be86647e97..78a28933b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
@@ -2,7 +2,7 @@
title: Create indicators for files
ms.reviewer:
description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities.
-keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@@ -39,7 +39,7 @@ There are two ways you can create indicators for files:
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
-- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index f238e1f680..4491cd3549 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -2,7 +2,7 @@
title: Create indicators for IPs and URLs/domains
ms.reviewer:
description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
-keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@@ -46,9 +46,10 @@ It's important to understand the following prerequisites prior to creating indic
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
+- For support of indicators on iOS, see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators).
->[!IMPORTANT]
+> [!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
> NOTE:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
index d04735e349..00fc73300c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
@@ -28,40 +28,11 @@ ms.technology: mde
> [!NOTE]
> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-## Configure compliance policy against jailbroken devices
+## Conditional Access with Defender for Endpoint for iOS
+Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies
+based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
-To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
-
-> [!NOTE]
-> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
-
-Follow the steps below to create a compliance policy against jailbroken devices.
-
-1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
-1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
-
- > [!div class="mx-imgBorder"]
- > 
-
-1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
-1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
-
-## Configure custom indicators
-
-Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators.
-
-> [!NOTE]
-> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
+For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Web Protection and VPN
@@ -79,10 +50,46 @@ While enabled by default, there might be some cases that require you to disable
> [!NOTE]
> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
-### Co-existence of multiple VPN profiles
+## Co-existence of multiple VPN profiles
Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
+
+## Configure compliance policy against jailbroken devices
+
+To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
+
+> [!NOTE]
+> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
+
+Follow the steps below to create a compliance policy against jailbroken devices.
+
+1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+2. Specify a name of the policy, for example "Compliance Policy for Jailbreak".
+3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**.
+6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
+
+## Configure custom indicators
+
+Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
+
+> [!NOTE]
+> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
+
## Report unsafe site
Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index c45701fbed..046ec05444 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -32,10 +32,18 @@ ms.technology: mde
This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks:
-- [Configure the Linux software repository](#configure-the-linux-software-repository)
-- [Application installation](#application-installation)
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Client configuration](#client-configuration)
+- [Deploy Microsoft Defender for Endpoint for Linux manually](#deploy-microsoft-defender-for-endpoint-for-linux-manually)
+ - [Prerequisites and system requirements](#prerequisites-and-system-requirements)
+ - [Configure the Linux software repository](#configure-the-linux-software-repository)
+ - [RHEL and variants (CentOS and Oracle Linux)](#rhel-and-variants-centos-and-oracle-linux)
+ - [SLES and variants](#sles-and-variants)
+ - [Ubuntu and Debian systems](#ubuntu-and-debian-systems)
+ - [Application installation](#application-installation)
+ - [Download the onboarding package](#download-the-onboarding-package)
+ - [Client configuration](#client-configuration)
+ - [Log installation issues](#log-installation-issues)
+ - [Operating system upgrades](#operating-system-upgrades)
+ - [Uninstallation](#uninstallation)
## Prerequisites and system requirements
@@ -60,7 +68,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo yum install yum-utils
```
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/`. For instance, RHEL 7.9 is closer to 7.4 than to 8.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
@@ -71,7 +79,13 @@ In order to preview new features and provide early feedback, it is recommended t
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+ For example, if you are running CentOS 7 and wish to deploy MDE for Linux from the *prod* channel:
+
+ ```bash
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo
+ ```
+
+ Or if you wish to explore new features on selected devices, you might want to deploy MDE for Linux to *insiders-fast* channel:
```bash
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
@@ -91,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t
### SLES and variants
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
@@ -99,10 +113,10 @@ In order to preview new features and provide early feedback, it is recommended t
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+ For example, if you are running SLES 12 and wish to deploy MDE for Linux from the *prod* channel:
```bash
- sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
+ sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo
```
- Install the Microsoft GPG public key:
@@ -125,7 +139,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install libplist-utils
```
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
@@ -133,10 +147,10 @@ In order to preview new features and provide early feedback, it is recommended t
curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
```
- For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+ For example, if you are running Ubuntu 18.04 and wish to deploy MDE for Linux from the *prod* channel:
```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
+ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
```
- Install the repository configuration:
@@ -144,10 +158,10 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
- For example, if you chose *insiders-fast* channel:
+ For example, if you chose *prod* channel:
```bash
- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
+ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
```
- Install the `gpg` package if not already installed:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index ec804b1358..19ac941547 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -80,9 +80,9 @@ There are several ways to uninstall Defender for Endpoint for Linux. If you are
### Manual uninstallation
-- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle Linux).
-- ```sudo zypper remove mdatp``` for SLES and variants.
-- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems.
+- `sudo yum remove mdatp` for RHEL and variants(CentOS and Oracle Linux).
+- `sudo zypper remove mdatp` for SLES and variants.
+- `sudo apt-get purge mdatp` for Ubuntu and Debian systems.
## Configure from the command line
@@ -98,15 +98,15 @@ The following table lists commands for some of the most common scenarios. Run `m
|Group |Scenario |Command |
|----------------------|--------------------------------------------------------|-----------------------------------------------------------------------|
-|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled|disabled]` |
-|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` |
-|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
-|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
-|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` |
-|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name [extension]` |
-|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path [path-to-file]` |
-|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` |
-|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]`
`mdatp exclusion process [add|remove] --name [process-name]` |
+|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled\|disabled]` |
+|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled\|disabled]` |
+|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled\|disabled]` |
+|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled\|disabled]` |
+|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode --value [enabled\|disabled]` |
+|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add\|remove] --name [extension]` |
+|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add\|remove] --path [path-to-file]` |
+|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add\|remove] --path [path-to-directory]` |
+|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add\|remove] --path [path-to-process]`
`mdatp exclusion process [add\|remove] --name [process-name]` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
@@ -161,6 +161,6 @@ In the Defender for Endpoint portal, you'll see two categories of information:
- Logged on users do not appear in the Microsoft Defender Security Center portal.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
- ```bash
+ ```bash
sudo SUSEConnect --status-text
- ```
+ ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index 904279814f..375f715a8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device.
The client device is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
- mdatp --health orgId
+ mdatp health --field org_id
```
2. Run the Python script to install the configuration file:
@@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device.
3. Verify that the device is now associated with your organization and reports a valid *orgId*:
```bash
- mdatp --health orgId
+ mdatp health --field org_id
```
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index a83bc01f7a..37371fa8f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
+mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index 8ab4ccb54a..227df25707 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -149,7 +149,7 @@ To enable autocompletion in zsh:
## Client Microsoft Defender for Endpoint quarantine directory
-`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
+`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`.
## Microsoft Defender for Endpoint portal information
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index b7f2649c73..331b7057ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device.
sh
-c
- /usr/local/bin/mdatp --scan --quick
+ /usr/local/bin/mdatp scan quick
RunAtLoad
@@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device.
2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
> [!TIP]
- > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
+ > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
3. Open **Terminal**.
4. Enter the following commands to load your file:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index 3cefc80735..8d726d2f36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o
-You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
+You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
```bash
-mdatp --health
+mdatp health
```
```Output
...
-realTimeProtectionAvailable : false
-realTimeProtectionEnabled : true
+real_time_protection_enabled : false
+real_time_protection_available : true
...
```
@@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl
sudo kextutil /Library/Extensions/wdavkext.kext
```
- The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
+ The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available:
```bash
- mdatp --health
+ mdatp health
```
```Output
...
- realTimeProtectionAvailable : true
- realTimeProtectionEnabled : true
+ real_time_protection_enabled : true
+ real_time_protection_available : true
...
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index 96b85255e0..cbfb2f15f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
- 
+ 
- From the Terminal. For security purposes, this operation requires elevation.
- ```bash
- mdatp --config realTimeProtectionEnabled false
- ```
+ ```bash
+ mdatp config real-time-protection --value disabled
+ ```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
index 3e8f336502..3a5f837ab4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device
- Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command:
```bash
- mdatp --health releaseRing
+ mdatp health --field release_ring
```
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
@@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr
1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process.
-You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
-For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
+ You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
+
+ For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
> [!IMPORTANT]
> You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 617e8532aa..55c92067b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -30,6 +30,14 @@ ms.technology: mde
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
+## 101.19.48
+
+> [!NOTE]
+> The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line).
+
+- Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac
+- Performance improvements & bug fixes
+
## 101.19.21
- Bug fixes
@@ -165,7 +173,7 @@ ms.technology: mde
- Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
```bash
- mdatp --connectivity-test
+ mdatp connectivity test
```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 896f5ca654..477cebbeb7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -58,17 +58,19 @@ computerDnsName | String | [machine](machine.md) fully qualified name.
firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.
lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours.
osPlatform | String | Operating system platform.
+osProcessor | String | Operating system processor.
version | String | Operating system Version.
osBuild | Nullable long | Operating system build number.
lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".
rbacGroupName | String | Machine group Name.
-rbacGroupId | Int | Machine group unique ID.
riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.
+ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
index bf07f58bcb..d98440f9bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -142,7 +142,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 61c7fe0660..9766c422da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -132,7 +132,7 @@ The output from this command should be similar to the following:
Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
```bash
-mdatp --connectivity-test
+mdatp connectivity test
```
## How to update Microsoft Defender for Endpoint for Mac
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 7d4ff91ed4..f7623205a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -199,14 +199,12 @@ When Microsoft Defender Antivirus is not the active antimalware in your organiza
If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
+If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
> [!NOTE]
> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
-For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 8bf4aa0e07..bb6315accb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -83,9 +83,13 @@ Review the following details to verify minimum system requirements:
- Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- - Manually install the agent using setup
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
- - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
+ - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line).
+ - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
+
+ > [!NOTE]
+ > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index 035be361f5..49d143d897 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,6 +1,6 @@
---
title: Pull Microsoft Defender for Endpoint detections using REST API
-description: Learn how call an Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API.
+description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API.
keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -67,7 +67,7 @@ Use the following method in the Microsoft Defender for Endpoint API to pull dete
## Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
-You'll use the access token to access the protected resource, which are detections in Microsoft Defender for Endpoint.
+You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
@@ -84,10 +84,10 @@ The response will include an access token and expiry information.
```json
{
"token_type": "Bearer",
- "expires_in": "3599",
- "ext_expires_in": "0",
- "expires_on": "1488720683",
- "not_before": "1488720683",
+ "expires_in": 3599,
+ "ext_expires_in": 0,
+ "expires_on": 1488720683,
+ "not_before": 1488720683,
"resource": "https://graph.windows.net",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}
@@ -115,7 +115,7 @@ Name | Value| Description
:---|:---|:---
sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
-ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
+ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
Example: `ago=PT10M` will pull alerts received in the last 10 minutes.
limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
machinegroups | string | Specifies device groups to pull alerts from.
**NOTE**: When not specified, alerts from all device groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single device tag from the registry.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
index 6f1fe23a4a..66e0dfcd99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
@@ -73,12 +73,28 @@ Content-Type | string | application/json. **Required**.
## Request body
-```json
-{
- "DeviceValue": "{device value}"
-}
-```
+In the request body, supply a JSON object with the following parameters:
+
+Parameter | Type | Description
+:---|:---|:---
+DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**.
## Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+
+## Example
+
+**Request**
+
+Here is an example of a request that adds machine tag.
+
+```http
+POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue
+```
+
+```json
+{
+ "DeviceValue" : "High"
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
deleted file mode 100644
index 111a228fa4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Supported Microsoft Defender Advanced Threat Protection response APIs
-description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls.
-keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.technology: mde
----
-
-# Supported Microsoft Defender for Endpoint query APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-> [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
-
-Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls.
-
-## In this section
-Topic | Description
-:---|:---
-Collect investigation package | Run this API to collect an investigation package from a device.
-Isolate device | Run this API to isolate a device from the network.
-Unisolate device | Remove a device from isolation.
-Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
-Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
-Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
-Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
-Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
-Get package SAS URI | Run this API to get a URI that allows downloading an investigation package.
-Get MachineAction object | Run this API to get MachineAction object.
-Get MachineActions collection | Run this to get MachineAction collection.
-Get FileActions collection | Run this API to get FileActions collection.
-Get FileMachineAction object | Run this API to get FileMachineAction object.
-Get FileMachineActions collection | Run this API to get FileMachineAction collection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
index 639bbd689d..6b6dd2a9cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -138,7 +138,7 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 8648a57da9..da69f9acd3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -117,7 +117,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index 3ab66598fc..75b6243eea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -33,6 +33,9 @@ Event timeline is a risk news feed that helps you interpret how risk is introduc
Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
+>[!TIP]
+>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
+
## Navigate to the Event timeline page
There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md):
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 8a626f4670..c25e934d20 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -29,9 +29,9 @@ ms.technology: mde
When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:
-- A rule blocks a file, process, or performs some other action that it should not (false positive)
+- A rule blocks a file, process, or performs some other action that it shouldn't (false positive)
-- A rule does not work as described, or does not block a file or process that it should (false negative)
+- A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
@@ -53,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond
- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
@@ -61,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r
You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
-Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
+Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
@@ -69,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct
3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
-If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
+If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.
Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
-If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
+If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
-1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
+1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
+2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
## Add exclusions for a false positive
-If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
+If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
@@ -95,12 +95,12 @@ Use the [Windows Defender Security Intelligence web-based submission form](https
## Collect diagnostic data for file submissions
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
```console
- cd c:\program files\windows defender
+ cd "c:\program files\windows defender"
```
2. Run this command to generate the diagnostic logs:
@@ -109,7 +109,7 @@ When you report a problem with attack surface reduction rules, you are asked to
mpcmdrun -getfiles
```
-3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
+3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 5ec3a45841..dfa4d609a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -34,6 +34,9 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl
Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
+>[!TIP]
+>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
+
## How it works
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
@@ -105,7 +108,7 @@ From the flyout, you can choose any of the following options:
### Investigate changes in device exposure or impact
-If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.
1. Select the recommendation and **Open software page**
2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 5a407a7cb6..30820fa2ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -38,9 +38,9 @@ Before you begin, ensure that you meet the following operating system or platfor
Operating system | Security assessment support
:---|:---
Windows 7 | Operating System (OS) vulnerabilities
-Windows 8.1 | Not supported
-Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows 8.1 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment |
+Windows 10, versions 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10, version 1709 or later |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 28fb4d19b3..dc46a51f0e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -36,12 +36,8 @@ The **Weaknesses** page lists the software vulnerabilities your devices are expo
>[!NOTE]
>If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
->[!IMPORTANT]
->To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+>[!TIP]
+>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md)
## Navigate to the Weaknesses page
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 8eb3de7a42..d44af33f24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -23,11 +23,8 @@ ms.technology: mde
**Applies to:**
- Windows 10
-- Windows Server 2016
-You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited.
-
-In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI.
## Using Intune's Built-In Policies
@@ -50,38 +47,56 @@ Setting "Trust apps with good reputation" to enabled is equivalent to adding [Op
## Using a Custom OMA-URI Profile
+> [!NOTE]
+> Policies deployed through Intune Custom OMA-URI are subject to a 350,000 byte limit. Customers whose devices are running 1903+ builds of Windows are encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which are more streamlined and less than 350K bytes in size.
+
### For 1903+ systems
-The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
+Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
+
+#### Deploying policies
+The steps to use Intune's Custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as ``
+
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+
3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+
4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+
5. Add a row, then give your policy a name and use the following settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
- 
+ > [!div class="mx-imgBorder"]
+ > 
-> [!NOTE]
-> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+#### Removing policies
+
+Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
### For pre-1903 systems
+#### Deploying policies
The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+
2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+
3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+
4. Add a row, then give your policy a name and use the following settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file
+
+ > [!NOTE]
+ > Deploying policies via the AppLocker CSP will force a reboot during OOBE.
-> [!NOTE]
-> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
+#### Removing policies
+
+Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
-> [!NOTE]
-> Deploying policies via the AppLocker CSP will force a reboot during OOBE.