Merge branch 'master' into lomayor-wtp

2025-05-18 16:27:22 +00:00 · 2019-09-06 10:50:01 -07:00 · 2019-09-06 10:50:01 -07:00 · e3d69bff5a
commit e3d69bff5a
parent d5da44987c 60438733bb
11 changed files with 215 additions and 99 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -631,6 +631,11 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md",
 "redirect_url": "windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control",
 "redirect_document_id": true
@ -15329,3 +15334,5 @@
 }
 ]
 }
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@ -24,7 +24,7 @@ ms.topic: article
 This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
-> **Windows 10 version upgrade**: You can directly upgrade a supported version of Windows 10 to a newer version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. 
+> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. 
 > 
 > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
 > 
@ -34,7 +34,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 > 
 > **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
-✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
+✔ = Full upgrade is supported including personal data, settings, and applications.<br>
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
 <br>
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -504,7 +504,6 @@
 #### [Rules]()
 ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
 ##### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
 ##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
 ##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
 ##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -53,7 +53,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.  
 >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-## Block file
+## Allow or block file
 Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
@ -71,6 +71,19 @@ To turn **Allow or block** files on:
 Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
 ## Custom network indicators
 Enabling this feature allows you to create indicators for IP addresses, domains, or URLs which determine whether they will be allowed or blocked based on your custom indicator list. 
 To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). 
 For more information, see [Manage indicators](manage-indicators.md).
 >[!NOTE]
 >Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.
 ## Show user details
 When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
--- a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
@ -1,68 +0,0 @@
 ---
 title: Manage automation allowed/blocked lists
 description: Create lists that control what items are automatically blocked or allowed during an automatic investigation.
 keywords: manage, automation, whitelist, blacklist, block, clean, malicious
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # Manage automation allowed/blocked lists
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
 Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations.  
 Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations.
 Entities added to the blocked list are considered malicious and will be remediated during Automated investigations.
 You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates. 
 ## Create an allowed or blocked list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for certificates. 
 3. Select **Add allowed/blocked list rule**.
 4. For each attribute specify the exclusion type, details, and their corresponding required values.
 5. Click **Add rule**.
 ## Edit a list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 2. Select the tab of the entity type you'd like to edit the list from.  
 3. Update the details of the rule and click **Update rule**.
 ## Delete a list 
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 2. Select the tab of the entity type you'd like to delete the list from.
 3. Select the list type by clicking the check-box beside the list type.
 4. Click **Delete**.
 ## Related topics
 - [Manage automation file uploads](manage-automation-file-uploads.md)
 - [Manage indicators](manage-indicators.md)
 - [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@ -1,4 +1,4 @@
---
+---
 title: Manage indicators 
 ms.reviewer: 
 description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
@ -23,32 +23,117 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
 Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
 Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
-On the top navigation you can:
+Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV).
- Import a list
+**Cloud detection engine**<br>
- Add an indicator
+The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
 - Customize columns to add or remove columns
 - Export the entire list in CSV format
 - Select the items to show per page
 - Navigate between pages
 - Apply filters
-## Create an indicator
+**Endpoint prevention engine**<br>
 The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV  will not detect nor block the file from being run.
 **Automated investigation and remediation engine**<BR>
 The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
 The current supported actions are:
 - Allow 
 - Alert only
 - Alert and block
 You can create an indicator for:
 - Files
 - IP addresses
 - URLs/domains
 >[!NOTE]
 >There is a limit of 5000 indicators per tenant. 
 ![Image of indicators settings page](images/rules-indicators.png)
 ## Create indicators for files
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 There are two ways you can create indicators for files:
 - By creating an indicator through the settings page
 - By creating a contextual indicator using the add indicator button from the file details page
 ### Before you begin
 It's important to understand the following prerequisites prior to creating indicators for files:
 - This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
 - The Antimalware client version must be 4.18.1901.x or later.
 - Supported on machines on Windows 10, version 1703 or later.
 - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
 - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
 >[!IMPORTANT]
 >- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action 
 >- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
 >- The PE file needs to be in the machine timeline for you to be able to take this action. 
 >[!NOTE]
 >There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
 ### Create an indicator for files from the settings page
 1. In the navigation pane, select **Settings** > **Indicators**.  
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
+2. Select the **File hash** tab.
   - File hash
   - IP address
   - URLs/Domains
 3. Click **Add indicator**.
-4. For each attribute specify the following details:
+3. Select **Add indicator**.
 4. Specify the following details:
   - Indicator - Specify the entity details and define the expiration of the indicator.
   - Action - Specify the action to be taken and provide a description.
   - Scope - Define the scope of the machine group.
 5. Review the details in the Summary tab, then click **Save**.
 ### Create a contextual indicator from the file details page
 One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. 
 When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
 Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
 ## Create indicators for IPs and URLs/domains (preview)
 Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser.
 The threat intelligence data set for this has been managed by Microsoft.
 By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
 ### Before you begin
 It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains:
 - URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md).
 - The Antimalware client version must be 4.18.1906.x or later. 
 - Supported on machines on Windows 10, version 1709 or later. 
 - Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
 >[!NOTE]
 >There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked. 
 ### Create an indicator for IPs, URLs or domains from the settings page
 1. In the navigation pane, select **Settings** > **Indicators**.  
 2. Select the **IP addresses or URLs/Domains** tab.
 3. Select **Add indicator**.
 4. Specify the following details:
   - Indicator - Specify the entity details and define the expiration of the indicator.
   - Action - Specify the action to be taken and provide a description.
   - Scope - Define the scope of the machine group.
@ -56,10 +141,6 @@ On the top navigation you can:
 5. Review the details in the Summary tab, then click **Save**.
 >[!NOTE]
 >Blocking IPs, domains, or URLs is currently available on limited preview only.
 >This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
 >As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
 ## Manage indicators
@ -69,12 +150,14 @@ On the top navigation you can:
 3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-## Import a list
+## Import a list of IoCs
 You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
 Download the sample CSV to know the supported column attributes.
 ## Related topic
 - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
 - [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
 - [Use partner integrated solutions](partner-applications.md)
 - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@ -29,6 +29,7 @@ ms.topic: article
 - Submits or Updates new [Indicator](ti-indicator.md) entity.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@ -116,3 +117,6 @@ Content-type: application/json
 }
 ```
 ## Related topic
 - [Manage indicators](manage-indicators.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@ -42,6 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 - [Indicators for IP addresses, URLs/Domains](manage-indicators.md) <BR> You can now allow or block URLs/domains using your own threat intelligence. 
 - [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
 focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@ -198,8 +198,9 @@ You can check that devices have been correctly onboarded by creating a script. F
 mdatp --health healthy
 ```
-This script returns:
+The above command prints "1" if the product is onboarded and functioning as expected.
- 0 if Microsoft Defender ATP is registered with the Microsoft Defender ATP service
+
 If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
 - 1 if the device is not yet onboarded
 - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
@ -34,7 +34,7 @@ If you decide to deploy updates by using your software distribution tools, you s
 ## Use msupdate
-MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate).
+MAU includes a command-line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate).
 In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
@ -86,6 +86,17 @@ Change how MAU searches for updates.
 | **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
 | **Comment** |  Note that AutomaticDownload will do a download and install silently if possible. |
 ### Change whether the "Check for Updates" button is enabled
 Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
 |||
 |:---|:---|
 | **Domain** | com.microsoft.autoupdate2 |
 | **Key** | EnableCheckForUpdatesButton |
 | **Data type** | Boolean |
 | **Possible values** | True (default) <br/> False |
 ### Disable Insider checkbox
 Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
@ -116,6 +127,8 @@ The following configuration profile is used to:
 - Enable the "Check for updates" button in the user interface
 - Allow users on the device to enroll into the Insider channels
 ### JAMF
 ```XML
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@ -135,6 +148,68 @@ The following configuration profile is used to:
 </plist>
 ```
 ### Intune
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1">
    <dict>
        <key>PayloadUUID</key>
        <string>B762FF60-6ACB-4A72-9E72-459D00C936F3</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadOrganization</key>
        <string>Microsoft</string>
        <key>PayloadIdentifier</key>
        <string>com.microsoft.autoupdate2</string>
        <key>PayloadDisplayName</key>
        <string>Microsoft AutoUpdate settings</string>
        <key>PayloadDescription</key>
        <string>Microsoft AutoUpdate configuration settings</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
            <key>PayloadUUID</key>
            <string>5A6F350A-CC2C-440B-A074-68E3F34EBAE9</string>
            <key>PayloadType</key>
            <string>com.microsoft.autoupdate2</string>
            <key>PayloadOrganization</key>
            <string>Microsoft</string>
            <key>PayloadIdentifier</key>
            <string>com.microsoft.autoupdate2</string>
            <key>PayloadDisplayName</key>
            <string>Microsoft AutoUpdate configuration settings</string>
            <key>PayloadDescription</key>
            <string/>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadEnabled</key>
            <true/>
            <key>ChannelName</key>
            <string>InsiderFast</string>
            <key>HowToCheck</key>
            <string>AutomaticDownload</string>
            <key>EnableCheckForUpdatesButton</key>
            <true/>
            <key>DisableInsiderCheckbox</key>
            <false/>
            <key>SendAllTelemetryEnabled</key>
            <true/>
            </dict>
        </array>
    </dict>
 </plist>
 ```
 To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using:
 - From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*.
 - From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*.