merge security analytics

windows/deployment/update/waas-manage-updates-wufb.md

@@ -25,7 +25,7 @@ ms.date: 10/13/2017
 >
 >In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
 
-Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.  You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.  
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.  You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.  
 
 Specifically, Windows Update for Business allows for: 
 
@@ -33,6 +33,7 @@ Specifically, Windows Update for Business allows for:
 - Selectively including or excluding drivers as part of Microsoft-provided updates
 - Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
 - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
+- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
 
 Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
 

windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md

@@ -22,7 +22,6 @@ ms.date: 03/05/2018
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-[!include[Prerelease information](prerelease.md)]
 
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) 
@@ -30,12 +29,11 @@ ms.date: 03/05/2018
 
 The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
 
->[!IMPORTANT]
-> This feature is available for machines on Windows 10, version  1703 or later. 
+ 
 
 The **Security analytics dashboard** displays a snapshot of:
 - Organizational security score
-- Security coverage
+- Windows Defender security controls
 - Improvement opportunities
 - Security score over time
 
@@ -55,11 +53,11 @@ In the example image, the total points from the **Improvement opportunities** ti
 
 You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
 
-## Security coverage
-The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. 
+## Windows Defender security controls
+The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. 
 
 
-![Security coverage](images/atp-security-coverage.png)
+![Security coverage](images/atp-security-controls.png)
 
 ## Improvement opportunities 
 Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
@@ -89,12 +87,15 @@ You can click on specific date points to see the total score for that security c
 ### Endpoint detection and response (EDR) optimization
 For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
 
+>[!IMPORTANT]
+> This feature is available for machines on Windows 10, version  1607 or later.  EVALD PLEASE DOUBLE CHECK!!!
+
 #### Minimum baseline configuration setting for EDR:
 - Windows Defender ATP sensor is on
 - Data collection is working correctly
 - Communication to Windows Defender ATP service is not impaired
 
-#### Minimum baseline configuration setting for EDR:
+##### Recommended actions:
 You can take the following actions to increase the overall security score of your organization:
 - Turn on sensor
 - Fix sensor data collection
@@ -105,6 +106,9 @@ For more  information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows
 ### Windows Defender Antivirus (Windows Defender AV) optimization
 For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
 
+>[!IMPORTANT]
+> This feature is available for machines on Windows 10, version  1607 or later.  EVALD PLEASE DOUBLE CHECK!!!
+
 #### Minimum baseline configuration setting for Windows Defender AV:
 Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met:
 
@@ -133,6 +137,9 @@ For more information, see [Configure Windows Defender Antivirus](../windows-defe
 ### OS security updates optimization
 This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
  
+>[!IMPORTANT]
+> This feature is available for machines on Windows 10, version  1607 or later.  EVALD PLEASE DOUBLE CHECK!!!
+
 You can take the following actions to increase the overall security score of your organization:
 - Install the latest security updates
 - Fix sensor data collection
@@ -144,6 +151,10 @@ For more information, see [Windows Update Troubleshooter](https://support.micros
 ### Windows Defender Exploit Guard (Windows Defender EG) optimization
 For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline. 
 
+
+>[!IMPORTANT]
+> This feature is available for machines on Windows 10, version  1703 or later.
+
 #### Minimum baseline configuration setting for Windows Defender EG:
 Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met:
 
@@ -175,6 +186,12 @@ Block Office applications from creating executable content  | 3B576869-A4EC-4529
 Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
 Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block process creations originating from Psexec and WMI commands | D1E49AAC-8F56-4280-B9BA-993A6D77406C
+Block untrusted and unsigned processes that run from USB (File ASR/Protection) | B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4
+Block executable files from running unless they meet a prevalence/age | 01443614-CD74-433A-B99E-2ECDC07BFC25
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 CHECK WITH EVALD!!!!
+Use advanced protection against ransomware | C1DB55AB-C21A-4637-BB3F-A12568109D35 CHECK WITH EVALD!!!!
+
 
 
 >[!NOTE]
@@ -201,6 +218,9 @@ For more information, see [Windows Defender Exploit Guard](../windows-defender-e
 ### Windows Defender Application Guard (Windows Defender AG) optimization
 For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline. 
 
+>[!IMPORTANT]
+>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
+
 #### Minimum baseline configuration setting for Windows Defender AG:
 Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met:
 
@@ -225,6 +245,9 @@ For more information, see [Windows Defender Application Guard overview](../windo
 ### Windows Defender SmartScreen optimization
 For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
 
+>[!IMPORTANT]
+>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
+
 #### Minimum baseline configuration setting for Windows Defender SmartScreen:
 The following settings must be configured with the following settings:
 - Check apps and files: **Warn** or **Block** 
@@ -241,9 +264,98 @@ For more information, see [Windows Defender SmartScreen](../windows-defender-sma
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) 
 
+### Windows Defender Firewall optimization
+For an endpoint to be considered "well configured", Windows Defender Firewall must be turned on and enabled for all profiles and inbound connections are blocked by default. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Firewall is fulfilled. 
+
+>[!IMPORTANT]
+>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
+
+#### Minimum baseline configuration setting for Defender Firewall 
+
+- Windows Defender Firewall is turned on for all network connections
+- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked
+- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked
+- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked
+
+For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
+
+>[!NOTE]
+> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
+
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Turn on firewall
+- Secure domain profile 
+- Secure private profile
+- Secure public profile
+- Verify secure configuration of third-party firewall
+- Fix sensor data collection
+  - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
+
+For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
+
+### Windows Hello optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Hello is fulfilled. 
+
+>[!IMPORTANT]
+>This security control is only applicable for endpoints with Windows 10, version 1803 or later.
+
+#### Minimum baseline configuration setting for Windows Hello
+- Windows Hello is configured for all users
+- Users are encouraged to use Windows Hello
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Configure Windows Hello for all users
+- Encourage all users to use Windows Hello
+
+### BitLocker optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled. 
+
+>[!NOTE]
+>This security control is currently only applicable for endpoints with Windows 10, Insider Preview build.
+
+#### Minimum baseline configuration setting for BitLocker
+- Ensure all supported internal drives are encrypted
+- Ensure that all suspended protection on drives resume protection 
+
+>[!IMPORTANT]
+>This security control is only applicable for endpoints with Windows 10, version 1803 or later.
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Encrypt all supported drives
+- Resume protection on all drives
+- Fix sensor data collection
+  - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
+
+
+### Windows Defender Credential Guard optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Credential Guard is fulfilled.
+
+>[!IMPORTANT]
+> This feature is available for machines on Windows 10, version  1703 or later.  
+
+#### Minimum baseline configuration setting for Windows Defender Credential Guard:
+Endpoints are considered "well configured" for Windows Defender Credential Guard if the following requirements are met:
+
+- Hardware and software prerequisites are met
+- Windows Defender Credential Guard is turned on on compatible machines
+
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+
+- Ensure hardware and software prerequisites are met
+- Turn on Credential Guard 
+- Fix sensor data collection
+  - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
+
+
 ## Related topics
 - [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
 - [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
+